Loading ...

Play interactive tourEdit tour

Analysis Report dgiusjeja64_mediasrv.png

Overview

General Information

Sample Name:dgiusjeja64_mediasrv.png (renamed file extension from png to dll)
Analysis ID:370722
MD5:c13860727871a39063e0bb58117919ba
SHA1:4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256:8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
Infos:

Most interesting Screenshot:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info

Classification

Startup

  • System is w10x64
  • loaddll64.exe (PID: 2792 cmdline: loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll' MD5: 8E81A09C7B4484341759E793AC330CB2)
    • rundll32.exe (PID: 5504 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 784 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6108 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 5816 cmdline: C:\Windows\system32\WerFault.exe -u -p 6108 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • cmd.exe (PID: 3176 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5448 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 1744 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6072 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 3396 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra MD5: 73C519F050C20580F8A62C849D49215A)
      • WerFault.exe (PID: 4912 cmdline: C:\Windows\system32\WerFault.exe -u -p 3396 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
    • rundll32.exe (PID: 5812 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6076 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: dgiusjeja64_mediasrv.dllAvira: detected
Multi AV Scanner detection for submitted fileShow sources
Source: dgiusjeja64_mediasrv.dllVirustotal: Detection: 48%Perma Link
Source: dgiusjeja64_mediasrv.dllMetadefender: Detection: 45%Perma Link
Source: dgiusjeja64_mediasrv.dllReversingLabs: Detection: 78%
Source: dgiusjeja64_mediasrv.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D05B4 FindFirstFileExA,1_2_00007FFB522D05B4
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D03A81_2_00007FFB522D03A8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D53F81_2_00007FFB522D53F8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C16541_2_00007FFB522C1654
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Source: dgiusjeja64_mediasrv.dllBinary or memory string: OriginalFilenameAdobe type6 vs dgiusjeja64_mediasrv.dll
Source: classification engineClassification label: mal56.winDLL@23/8@0/1
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5CD8 GetModuleHandleW,FindResourceW,LoadResource,1_2_00007FFB522C5CD8
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3396
Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6108
Source: C:\Windows\System32\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4093.tmpJump to behavior
Source: dgiusjeja64_mediasrv.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Source: dgiusjeja64_mediasrv.dllVirustotal: Detection: 48%
Source: dgiusjeja64_mediasrv.dllMetadefender: Detection: 45%
Source: dgiusjeja64_mediasrv.dllReversingLabs: Detection: 78%
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll'
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3396 -s 316
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decraJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decraJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMainJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobalsJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: dgiusjeja64_mediasrv.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: dgiusjeja64_mediasrv.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: dgiusjeja64_mediasrv.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dgiusjeja64_mediasrv.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5D8C GetModuleFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,wsprintfA,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,1_2_00007FFB522C5D8C
Source: dgiusjeja64_mediasrv.dllStatic PE information: section name: _RDATA
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\loaddll64.exe TID: 3112Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3112Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D05B4 FindFirstFileExA,1_2_00007FFB522D05B4
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522C9810
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,1_2_00007FFB522C7FD8
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C5D8C GetModuleFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,wsprintfA,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,1_2_00007FFB522C5D8C
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D1624 GetProcessHeap,1_2_00007FFB522D1624
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522C9810
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522CE0B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00007FFB522CE0B4
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C90E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00007FFB522C90E4
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522D4FD0 cpuid 1_2_00007FFB522D4FD0
Source: C:\Windows\System32\rundll32.exeCode function: 1_2_00007FFB522C93E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00007FFB522C93E0

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection11Virtualization/Sandbox Evasion2OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySecurity Software Discovery4Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 370722 Sample: dgiusjeja64_mediasrv.png Startdate: 18/03/2021 Architecture: WINDOWS Score: 56 26 Antivirus / Scanner detection for submitted sample 2->26 28 Multi AV Scanner detection for submitted file 2->28 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 rundll32.exe 7->11         started        13 cmd.exe 1 7->13         started        15 6 other processes 7->15 process5 17 WerFault.exe 9 9->17         started        20 WerFault.exe 20 9 11->20         started        22