Loading ...

Play interactive tourEdit tour

Analysis Report netping.dll

Overview

General Information

Sample Name:netping.dll
Analysis ID:417560
MD5:250cb957728dba0f3ae2c1c1e9bae241
SHA1:aa3f37a75d3ba2ee74955c06eb308ad0cd6bca2e
SHA256:f1103e627311e73d5f29e877243e7ca203292f9419303c661aec57745eb4f26c
Tags:dllHancitorpingtool
Infos:

Most interesting Screenshot:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sleep loop found (likely to delay execution)
Uses 32bit PE files

Classification

Analysis Advice

Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Startup

  • System is w10x64
  • loaddll32.exe (PID: 968 cmdline: loaddll32.exe 'C:\Users\user\Desktop\netping.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2576 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6148 cmdline: rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4832 cmdline: rundll32.exe C:\Users\user\Desktop\netping.dll,Start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 22696 cmdline: rundll32.exe 'C:\Users\user\Desktop\netping.dll',Start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: netping.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: netping.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: F:\Source\WorkNew17\NetPing\ReleaseDLL\NetPing.pdb source: netping.dll
Source: loaddll32.exe, 00000000.00000002.469628946.0000000000EAB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: netping.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: clean3.winDLL@9/0@0/100
Source: netping.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\netping.dll,Start
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\netping.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\netping.dll,Start
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\netping.dll',Start
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\netping.dll,StartJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\netping.dll',StartJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1Jump to behavior
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: netping.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: netping.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: F:\Source\WorkNew17\NetPing\ReleaseDLL\NetPing.pdb source: netping.dll
Source: netping.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: netping.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: netping.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: netping.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: netping.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1515Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1407Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 1147Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exeThread sleep count: Count: 1515 delay: -25Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread sleep count: Count: 1407 delay: -25Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeThread sleep count: Count: 1147 delay: -25Jump to behavior
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\netping.dll',#1Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321Input Capture1Virtualization/Sandbox Evasion12Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion12LSASS MemoryApplication Window Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 417560 Sample: netping.dll Startdate: 19/05/2021 Architecture: WINDOWS Score: 3 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 rundll32.exe 6->10         started        13 rundll32.exe 6->13         started        dnsIp4 15 rundll32.exe 8->15         started        18 192.168.1.100 unknown unknown 10->18 20 192.168.1.101 unknown unknown 10->20 22 97 other IPs or domains 10->22 process5 dnsIp6 24 192.168.8.4 unknown unknown 15->24

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.