Loading ...

Play interactive tourEdit tour

Analysis Report KMS-R@1nHook.dll

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218155
Start date:26.03.2020
Start time:10:07:56
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:KMS-R@1nHook.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal56.winDLL@9/0@1/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 40.90.137.125, 40.90.23.208, 40.90.137.124, 52.158.208.111, 2.18.68.82, 205.185.216.10, 205.185.216.42, 8.253.204.120, 8.248.121.254, 8.241.121.126, 67.27.159.254, 67.27.159.126, 23.37.58.89, 67.27.233.254, 67.27.157.126, 67.26.81.254
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, fs.microsoft.com, lgin.msa.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, login.msa.msidentity.com, e5684.g.akamaiedge.net, login.live.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold560 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsRundll321Winlogon Helper DLLProcess Injection1Virtualization/Sandbox Evasion1Credential DumpingVirtualization/Sandbox Evasion1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesProcess Injection1Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionRundll321Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDLL Side-Loading1Credentials in FilesSystem Information Discovery11Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: KMS-R@1nHook.dllAvira: detection malicious, Label: SPR/Hacktool.4096
Multi AV Scanner detection for submitted fileShow sources
Source: KMS-R@1nHook.dllVirustotal: Detection: 47%Perma Link
Source: KMS-R@1nHook.dllMetadefender: Detection: 35%Perma Link
Source: KMS-R@1nHook.dllReversingLabs: Detection: 51%

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: site-cdn.onenote.net

System Summary:

barindex
One or more processes crashShow sources
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4304 -s 308
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\WerFault.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal56.winDLL@9/0@1/0
Creates mutexesShow sources
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5028
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4304
Creates temporary filesShow sources
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER669A.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: KMS-R@1nHook.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\KMS-R@1nHook.dll',DllRegisterServer
Sample is known by AntivirusShow sources
Source: KMS-R@1nHook.dllVirustotal: Detection: 47%
Source: KMS-R@1nHook.dllMetadefender: Detection: 35%
Source: KMS-R@1nHook.dllReversingLabs: Detection: 51%
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\KMS-R@1nHook.dll'
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\KMS-R@1nHook.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\KMS-R@1nHook.dll,LoadLibraryWHook
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4304 -s 308
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\KMS-R@1nHook.dll,RpcStringBindingComposeWHook
Source: unknownProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5028 -s 324
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\KMS-R@1nHook.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\KMS-R@1nHook.dll,LoadLibraryWHookJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\KMS-R@1nHook.dll,RpcStringBindingComposeWHookJump to behavior
PE file has a high image base, often used for DLLsShow sources
Source: KMS-R@1nHook.dllStatic PE information: Image base 0x180000000 > 0x60000000
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: KMS-R@1nHook.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
PE file contains a debug data directoryShow sources
Source: KMS-R@1nHook.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Ra1n\Desktop\Re-Loader V20Final\SppExtComObjPatcher-12.01.2014\Release\x64\KMS-R@1nHook.pdb source: KMS-R@1nHook.dll

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Windows\System32\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WerFault.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Enables debug privilegesShow sources
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess token adjusted: DebugJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 218155 Sample: KMS-R@1nHook.dll Startdate: 26/03/2020 Architecture: WINDOWS Score: 56 20 site-cdn.onenote.net 2->20 22 Antivirus detection for sample 2->22 24 Multi AV Scanner detection for submitted file 2->24 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 8->10         started        12 rundll32.exe 8->12         started        14 rundll32.exe 8->14         started        process6 16 WerFault.exe 18 3 10->16         started        18 WerFault.exe 3 12->18         started       

Simulations

Behavior and APIs

TimeTypeDescription
10:09:23API Interceptor2x Sleep call for process: WerFault.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
KMS-R@1nHook.dll48%VirustotalBrowse
KMS-R@1nHook.dll36%MetadefenderBrowse
KMS-R@1nHook.dll52%ReversingLabsWin64.Hacktool.Hackkms
KMS-R@1nHook.dll100%AviraSPR/Hacktool.4096

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
site-cdn.onenote.net0%VirustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.