Loading ...

Play interactive tourEdit tour

Analysis Report api-ms-win-core-localization-l1-2-0.dll

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:193843
Start date:05.12.2019
Start time:08:00:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:api-ms-win-core-localization-l1-2-0.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:33
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean4.winDLL@46/12@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.90.22.192, 40.90.22.187, 40.90.22.191, 93.184.220.29, 52.158.208.111, 51.143.111.7
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, cs9.wac.phicdn.net, lgin.msa.trafficmanager.net, ocsp.digicert.com, login.live.com, watson.telemetry.microsoft.com, login.msa.msidentity.com

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold40 - 100trueclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample crashes during execution, try analyze it on another analysis machine
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlImpact
Valid AccountsRundll321Winlogon Helper DLLProcess Injection2Modify Registry1Credential DumpingProcess Discovery2Application Deployment SoftwareData from Local SystemData CompressedData ObfuscationData Destruction
Replication Through Removable MediaGraphical User Interface1Port MonitorsAccessibility FeaturesVirtualization/Sandbox Evasion3Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsData Encrypted for Impact
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection2Input CaptureSystem Information Discovery11Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolDisk Structure Wipe
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingRundll321Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationDisk Content Wipe
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolService Stop

Signature Overview

Click to jump to signature section


System Summary:

barindex
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2504 -s 304
PE file does not import any functionsShow sources
Source: api-ms-win-core-localization-l1-2-0.dllStatic PE information: No import functions for PE file found
Sample file is different than original file name gathered from version infoShow sources
Source: api-ms-win-core-localization-l1-2-0.dllBinary or memory string: OriginalFilenameapisetstubj% vs api-ms-win-core-localization-l1-2-0.dll
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\WerFault.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Source: C:\Windows\System32\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: clean4.winDLL@46/12@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4484
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2504
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1200
Creates temporary filesShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER711.tmpJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll',DllRegisterServer
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,ConvertDefaultLocale
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemGeoID
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemLocalesA
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemLocalesW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FindNLSString
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FindNLSStringEx
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FormatMessageA
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FormatMessageW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetACP
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCPInfo
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCPInfoExW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCalendarInfoEx
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2504 -s 304
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCalendarInfoW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetFileMUIInfo
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1200 -s 304
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetFileMUIPath
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetGeoInfoW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoA
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoEx
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4484 -s 304
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoW
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetNLSVersion
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,ConvertDefaultLocaleJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemGeoIDJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemLocalesAJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,EnumSystemLocalesWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FindNLSStringJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FindNLSStringExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FormatMessageAJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,FormatMessageWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetACPJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCPInfoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCPInfoExWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCalendarInfoExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetCalendarInfoWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetFileMUIInfoJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetFileMUIPathJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetGeoInfoWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoAJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetLocaleInfoWJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\api-ms-win-core-localization-l1-2-0.dll,GetNLSVersionJump to behavior
Found GUI installer (many successful clicks)Show sources
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
PE / OLE file has a valid certificateShow sources
Source: api-ms-win-core-localization-l1-2-0.dllStatic PE information: certificate valid
PE /OLE file has a valid certificate with Microsoft as IssuerShow sources
Source: initial sampleStatic PE information: Valid certificate with Microsoft Issuer
PE file has a high image base, often used for DLLsShow sources
Source: api-ms-win-core-localization-l1-2-0.dllStatic PE information: Image base 0x180000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: api-ms-win-core-localization-l1-2-0.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: api-ms-win-core-localization-l1-2-0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: rundll32.exe, 00000001.00000001.1833698140.00000157BB750000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000001.1834072865.0000024C42740000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000001.1844588865.0000026783CE0000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000001.1855174540.0000010AA5230000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000001.1865982263.000001C9FA440000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000001.1876675716.000001371C7C0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000001.1898963833.0000027264C60000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000001.1909844934.0000026597440000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000001.1920485367.000001DDBA1F0000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000001.1931150357.0000017531150000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000001.1941715368.0000021281EC0000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.2003858300.000001E0F9

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registryShow sources
Source: C:\Windows\System32\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\loaddll64.exe TID: 4320Thread sleep time: -60000s >= -30000sJump to behavior
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks if the current process is being debuggedShow sources
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rundll32.exe, 00000010.00000000.1959635219.000001E0F9F30000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000000.1976572559.000002D947CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000000.2023248649.0000020280000000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: rundll32.exe, 00000010.00000000.1959635219.000001E0F9F30000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000000.1976572559.000002D947CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000000.2023248649.0000020280000000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000010.00000000.1959635219.000001E0F9F30000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000000.1976572559.000002D947CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000000.2023248649.0000020280000000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000010.00000000.1959635219.000001E0F9F30000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000000.1976572559.000002D947CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000000.2023248649.0000020280000000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 193843 Sample: api-ms-win-core-localizatio... Startdate: 05/12/2019 Architecture: WINDOWS Score: 4 6 loaddll64.exe 1 2->6         started        process3 8 rundll32.exe 6->8         started        10 rundll32.exe 6->10         started        12 rundll32.exe 6->12         started        14 18 other processes 6->14 process4 16 WerFault.exe 23 9 8->16         started        18 WerFault.exe 9 10->18         started        20 WerFault.exe 9 12->20         started       

Simulations

Behavior and APIs

TimeTypeDescription
08:02:35API Interceptor3x Sleep call for process: WerFault.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
api-ms-win-core-localization-l1-2-0.dll0%VirustotalBrowse
api-ms-win-core-localization-l1-2-0.dll0%MetadefenderBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.