Loading ...

Play interactive tourEdit tour

Analysis Report z2.bin

Overview

General Information

Sample Name:z2.bin (renamed file extension from bin to dll)
Analysis ID:299752
MD5:afc9327807688d86aac574e7b9031dfb
SHA1:3c69e7dad2f0f4b6c5c7501b874744431ba7b88c
SHA256:4b0c5b4530a9218d6030a7040a10ea5be84ffa3696601732ee7212691521474f

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4072 cmdline: loaddll32.exe 'C:\Users\user\Desktop\z2.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • rundll32.exe (PID: 2224 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\z2.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5732 cmdline: rundll32.exe C:\Users\user\Desktop\z2.dll,Magnetcourse MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: z2.dllVirustotal: Detection: 10%Perma Link
Machine Learning detection for sampleShow sources
Source: z2.dllJoe Sandbox ML: detected
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E28B724 FindFirstFileExA,1_2_6E28B724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E28B724 FindFirstFileExA,2_2_6E28B724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]1_2_6E255210
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push FCCE1918h1_2_6E24A670
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then movzx edi, byte ptr [ecx]1_2_6E25A690
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push 01555467h1_2_6E2517F0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then push 00000001h1_2_6E259020
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000118h]1_2_6E256980
Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2413101_2_6E241310
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2491301_2_6E249130
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2471101_2_6E247110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27BC501_2_6E27BC50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E285D7D1_2_6E285D7D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27B1C01_2_6E27B1C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27BC502_2_6E27BC50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E285D7D2_2_6E285D7D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27B1C02_2_6E27B1C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E27F090 appears 60 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E283E71 appears 36 times
Source: z2.dllBinary or memory string: OriginalFilenameScience.dll8 vs z2.dll
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
Source: classification engineClassification label: mal52.winDLL@5/2@0/0
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\tmp.txtJump to behavior
Source: z2.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\z2.dll',DllRegisterServer
Source: z2.dllVirustotal: Detection: 10%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\z2.dll'
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\z2.dll',DllRegisterServer
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\z2.dll,Magnetcourse
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\z2.dll',DllRegisterServerJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\z2.dll,MagnetcourseJump to behavior
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: z2.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: z2.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: e:\32\kill\83\26\40\64\Far\Quick\Card\54\Board\5\Science.pdb source: rundll32.exe, 00000001.00000002.468888984.000000006E293000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.468856376.000000006E293000.00000002.00020000.sdmp, z2.dll
Source: z2.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: z2.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: z2.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: z2.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: z2.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: z2.dllStatic PE information: real checksum: 0x8a9e1 should be: 0x8e814
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_00960C36 push ebp; iretd 1_2_00960C3E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27EF27 push ecx; ret 1_2_6E27EF3A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E267FA7 push dword ptr [edx-74333301h]; iretd 1_2_6E267FC2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E268257 push ebp; retf 1_2_6E26825F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E266B24 push dword ptr [ebx+5E05CCFFh]; iretd 1_2_6E266B36
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27F0D6 push ecx; ret 1_2_6E27F0E9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2C7746 push ebp; iretd 1_2_6E2C774E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_01140C36 push ebp; iretd 2_2_01140C3E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27EF27 push ecx; ret 2_2_6E27EF3A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E267FA7 push dword ptr [edx-74333301h]; iretd 2_2_6E267FC2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E268257 push ebp; retf 2_2_6E26825F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E266B24 push dword ptr [ebx+5E05CCFFh]; iretd 2_2_6E266B36
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27F0D6 push ecx; ret 2_2_6E27F0E9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2C7746 push ebp; iretd 2_2_6E2C774E
Source: initial sampleStatic PE information: section name: .text entropy: 6.81275162809
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E28B724 FindFirstFileExA,1_2_6E28B724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E28B724 FindFirstFileExA,2_2_6E28B724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E28325F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E28325F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E259460 mov eax, dword ptr fs:[00000030h]1_2_6E259460
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E284F08 mov eax, dword ptr fs:[00000030h]1_2_6E284F08
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2C70B5 mov eax, dword ptr fs:[00000030h]1_2_6E2C70B5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2C6FEB mov eax, dword ptr fs:[00000030h]1_2_6E2C6FEB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E2C6BF3 push dword ptr fs:[00000030h]1_2_6E2C6BF3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E284F08 mov eax, dword ptr fs:[00000030h]2_2_6E284F08
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2C70B5 mov eax, dword ptr fs:[00000030h]2_2_6E2C70B5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2C6FEB mov eax, dword ptr fs:[00000030h]2_2_6E2C6FEB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E2C6BF3 push dword ptr fs:[00000030h]2_2_6E2C6BF3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27F40F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6E27F40F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E28325F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E28325F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27F2ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E27F2ED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27F40F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6E27F40F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E28325F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E28325F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6E27F2ED IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6E27F2ED
Source: rundll32.exe, 00000001.00000002.468314619.0000000003220000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.468253964.0000000003220000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: rundll32.exe, 00000001.00000002.468314619.0000000003220000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.468253964.0000000003220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000001.00000002.468314619.0000000003220000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.468253964.0000000003220000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rundll32.exe, 00000001.00000002.468314619.0000000003220000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.468253964.0000000003220000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27F10D cpuid 1_2_6E27F10D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_6E28E65F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,1_2_6E28DF9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,1_2_6E28DFEA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_6E28E48B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,1_2_6E2884D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_6E28DD27
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,1_2_6E28E592
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,1_2_6E28E362
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,1_2_6E28887D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,1_2_6E28E085
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6E28E65F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E28DF9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E28DFEA
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6E28E48B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E2884D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6E28DD27
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E28E592
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E28E362
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6E28887D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6E28E085
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E27F60A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_6E27F60A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E243C40 TrackPopupMenu,GetCommandLineW,GetVersion,GetSysColor,1_2_6E243C40

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection2Process Injection2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information4Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSystem Information Discovery23SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299752 Sample: z2.bin Startdate: 18/10/2020 Architecture: WINDOWS Score: 52 12 Multi AV Scanner detection for submitted file 2->12 14 Machine Learning detection for sample 2->14 6 loaddll32.exe 1 2->6         started        process3 process4 8 rundll32.exe 6->8         started        10 rundll32.exe 1 6->10         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.