Play interactive tour

Edit tour

Analysis Report soft.dll

Overview

General Information

Sample Name:	soft.dll
Analysis ID:	430072
MD5:	627c8a536ed728b1b9e6d2dad958ac0c
SHA1:	03f6ab6dd415ca980cc0ab1f36f3d306e18c99bc
SHA256:	10ab600004b40a318004a19a90374c6430dcf5b2219dda9e6e017a424e3e0503
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4760 cmdline: loaddll32.exe 'C:\Users\user\Desktop\soft.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 2292 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5348 cmdline: rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5328 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5908 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5912 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: soft.dll

Virustotal: Detection: 13%

Perma Link

Source: soft.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: soft.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\Until\moon\old-speak\bright\come.pdb source: loaddll32.exe, 00000000.00000002.526260148.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.505285261.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.491588581.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.498620240.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.533256829.000000006E234000.00000002.00020000.sdmp, soft.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match

File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match

File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6E1E2485 NtQueryVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E210EFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E205F50
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1FD2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1D6D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E20EA21
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1AF9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E205B20
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E6BDF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F18C7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E20E901
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E205600
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E206616
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1686
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1454
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F1213
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F2237
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E204277
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E2130C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E6BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E206616
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E204277
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E209110

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1E33B0 appears 59 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E1FE6CA appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1E33B0 appears 60 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E1FE6CA appears 63 times

Source: soft.dll

Binary or memory string: OriginalFilenamecome.dllx, vs soft.dll

Source: soft.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal56.troj.winDLL@11/0@0/0

Source: soft.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget

Source: soft.dll

Virustotal: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\soft.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: soft.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: soft.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: soft.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: soft.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: soft.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: soft.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: soft.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: soft.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E216E00 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E33F6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E216E00 push ecx; mov dword ptr [esp], ecx
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E212342 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E33F6 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E2200 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1E2253 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E216E00 push ecx; mov dword ptr [esp], ecx

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match

File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.8 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.1 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FEF8D FindFirstFileExW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E20DE00 IsDebuggerPresent,OutputDebugStringW,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE88E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE916 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE947 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F567F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE73B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE77E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE88E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE916 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE947 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F567F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE73B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE77E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F567F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE73B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE77E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE88E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE916 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1FE947 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E201302 GetProcessHeap,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E32F2 SetUnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E32F2 SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1

Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1E340B cpuid

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E1E3080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_6E1E146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match

File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match

File source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection12	Rundll321	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery23	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
soft.dll	13%	Virustotal		Browse
soft.dll	14%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	430072
Start date:	06.06.2021
Start time:	10:11:59
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	soft.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.troj.winDLL@11/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 45.3% (good quality ratio 43.5%) Quality average: 84.6% Quality standard deviation: 25.8%
HCA Information:	Successful, ratio: 64% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, UsoClient.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.516081805018269
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	soft.dll
File size:	472064
MD5:	627c8a536ed728b1b9e6d2dad958ac0c
SHA1:	03f6ab6dd415ca980cc0ab1f36f3d306e18c99bc
SHA256:	10ab600004b40a318004a19a90374c6430dcf5b2219dda9e6e017a424e3e0503
SHA512:	ec2073aae6c7a5e9ce936f1e97ada62cb8d793877048c45a0c4e5281844b058ccb82d5314e0b71da28998a6095fc9eb2ce61ff8276541d051c3cae0ed0aa216f
SSDEEP:	12288:e+Y4HM0hzA82rPr7XidWUrtiK+h6Ol5tz4ynpivaR+:rYvLHi4Ur7+h6OlrR+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.}.x..Nx..Nx..Nq..Nn..NC..Oz..NC..O\|..NC..Oi..NC..Ou..N.l.Ns..Nx..N...NC..Oy..NC..OX..NC..Ny..NC..Oy..NRichx..N...............

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10028bd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59253A0D [Wed May 24 07:45:17 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fe31dd6739d0b573a8bd9bb5789aff6b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F99C8F994D7h
call 00007F99C8F99C8Ah
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F99C8F9938Ah
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F99C8F99191h
pop ecx
pop ebp
ret
mov dword ptr [ecx], 01054AB0h
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 01054AB0h
je 00007F99C8F994DCh
push 0000000Ch
push esi
call 00007F99C8F994A6h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0105415Ch]
push dword ptr [ebp+08h]
call dword ptr [01054160h]
push C0000409h
call dword ptr [01054158h]
push eax
call dword ptr [01054154h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F99C8FC8D0Bh
test eax, eax
je 00007F99C8F994D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [01070C88h], eax
mov dword ptr [01070C84h], ecx
mov dword ptr [01070C80h], edx
mov dword ptr [01070C7Ch], ebx
mov dword ptr [01070C78h], esi
mov dword ptr [01070C74h], edi
mov word ptr [01070CA0h], ss
mov word ptr [eax], es

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6f180	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6f1f0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc3000	0x488	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc4000	0x2c58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6dc60	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6dcb8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x54000	0x47c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x52de6	0x52e00	False	0.593246252828	data	6.78851030835	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0x1bdec	0x1be00	False	0.523735285874	data	4.90694135639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x51e28	0xc00	False	0.2138671875	data	2.95477963021	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0xc2000	0x228	0x400	False	0.25390625	data	1.74574859447	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc3000	0x488	0x600	False	0.364583333333	data	3.05582166323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc4000	0x2c58	0x2e00	False	0.771654211957	data	6.63160130152	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xc30a0	0x34c	data	English	United States
RT_MANIFEST	0xc33f0	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	GetModuleFileNameA, GetEnvironmentVariableA, GetVersion, GetTempPathA, OpenMutexA, GetSystemDirectoryA, LoadLibraryA, FileTimeToLocalFileTime, VirtualProtectEx, ExitProcess, GetCurrentProcessId, CreateEventA, OutputDebugStringW, WriteConsoleW, CreateFileW, ReadConsoleW, ReadFile, CloseHandle, HeapReAlloc, HeapSize, GetStringTypeW, SetFilePointerEx, GetFileSizeEx, SetStdHandle, GetConsoleMode, GetConsoleCP, WriteFile, FlushFileBuffers, SetConsoleCtrlHandler, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, FindClose, GetCurrentThread, GetFileType, GetStdHandle, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapAlloc, HeapFree, GetModuleFileNameW, GetModuleHandleExW, LoadLibraryExW, GetProcAddress, FreeLibrary, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, RtlUnwind, SetLastError, GetLastError, InterlockedFlushSList, InterlockedPushEntrySList, RaiseException, EncodePointer, GetModuleHandleW, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, QueryPerformanceCounter, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, DecodePointer
ole32.dll	CoCreateInstance, CoUninitialize, CoInitialize, CLSIDFromString
comsvcs.dll	SafeRef
OLEAUT32.dll	VarRound, VarR8FromBool, SafeArrayCreateVectorEx, VariantChangeTypeEx, VarUI1FromBool, VarI8FromCy, DispCallFunc, VarAdd, OleCreatePropertyFrame, VarCyMulI8, VariantCopy, VarBstrFromI4, SysAllocString, VarNeg, VarUI8FromStr, VarMonthName, VarDateFromI2, VarUI4FromI8, VarTokenizeFormatString, SafeArrayDestroyData, VarUI1FromDate, VarNot, VarBoolFromCy, VarUI8FromCy, VarBstrFromR4, VariantTimeToDosDateTime, VarDateFromUI1, VarI2FromI4, VarUI4FromCy, VarBoolFromUI1, OaBuildVersion, VarUI1FromStr, VarDateFromDisp, VarBstrFromDisp, VarCyFromDisp, VarCyFromR4, VarI8FromDec, SysAllocStringByteLen, VarI8FromDate, VarI8FromUI8, VarI2FromCy, BSTR_UserUnmarshal, VarUI4FromUI8, VarI8FromR8, VarFormatFromTokens, VarUI4FromR8, SysStringByteLen, VarUI4FromDisp, VarI8FromDisp, RegisterTypeLib, OleCreateFontIndirect, BSTR_UserMarshal, VarUI4FromBool, VarFormat, VarUI4FromI2, VarI2FromUI1, CreateTypeLib2, SafeArrayAllocDescriptorEx, SysFreeString, VarUI4FromUI1, VarXor, SafeArrayCreateEx, OleLoadPicturePath, VariantCopyInd, VarUI1FromI4, VarUI1FromDisp, VarFix, VarUI8FromUI2, SafeArraySetRecordInfo, LoadTypeLib, CreateTypeLib, VarUI1FromI2, VarCyFromDate, VarDateFromR4, VarBoolFromI4, VariantInit, VarI2FromI8, VarDateFromUdateEx, LoadRegTypeLib, RegisterActiveObject, VarDecMul, VarBoolFromDate, SysReAllocString, VarUI8FromI2, VarCyFromStr, VarBstrFromR8, VarCyFromI2, VarUI8FromI1, GetRecordInfoFromTypeInfo, VarCat, VarUI4FromUI2, VarBoolFromR4, SafeArrayPtrOfIndex, VarI8FromBool, VarI8FromUI4, VarUI4FromI4, UnRegisterTypeLib, OleLoadPicture, LHashValOfNameSysA, VarInt, VarUI4FromDec, VarUI4FromI1, VarAnd, SystemTimeToVariantTime, DosDateTimeToVariantTime, VarUI8FromR8, VarDiv, SafeArrayRedim, VarUI8FromBool, VarUI8FromUI1, VarUI8FromR4, VarUI2FromUI4, VarCyFromI4, VarDecAdd, LHashValOfNameSys, VarUI4FromDate, VarCyFromUI1, OleLoadPictureFile, VarBoolFromDisp, VarI2FromR4, VarBstrFromBool, VarI8FromI2, VarBstrFromI2, CreateStdDispatch, OleCreatePictureIndirect, GetRecordInfoFromGuids, VarBstrFromCy, GetActiveObject, VarUI1FromR8, VarDecDiv, VarDateFromStr, SysReAllocStringLen, VarUI1FromR4, VarFormatNumber, VarI8FromR4, VarI2FromR8, VarI8FromStr, VarUI4FromR4, OleCreatePropertyFrameIndirect, VarFormatPercent, VarDateFromR8, VarUI8FromDisp, VarParseNumFromStr, VarI8FromUI1, RevokeActiveObject, VariantTimeToSystemTime, VarUI2FromDec, SysStringLen, ClearCustData, OleIconToCursor, SafeArrayGetRecordInfo, VarCyFromR8, VarDateFromCy, VarBoolFromStr, OleTranslateColor, VarBstrFromDate, VarI2FromUI8, VarDecAbs, SafeArrayCreate, BSTR_UserFree, VarUI8FromDate, SafeArrayDestroyDescriptor, OleSavePictureFile, SysAllocStringLen, VarNumFromParseNum, VarI8FromUI2, SafeArrayAllocData, LoadTypeLibEx, VarAbs, SafeArrayAllocDescriptor, VarFormatCurrency, VarWeekdayName, VarDateFromBool, VarDecSub, QueryPathOfRegTypeLib, VarDateFromI4, VariantChangeType, VarBoolFromR8, VarI8FromI1, VarCyFromBool, VarUI1FromCy, VariantClear, VarUI8FromI8, VarFormatDateTime, VarUI4FromStr, VarBstrFromUI1, BSTR_UserSize, VarBoolFromI2

Exports

Name	Ordinal	Address
Bottomget	1	0x1036380
Groupshop	2	0x1036200
Stoodbroad	3	0x1036cf0

Version Infos

Description	Data
LegalCopyright	Copyright (C) Microsoft Corp. 1981-1999
InternalName	come.dll
FileVersion	5.6.8.577
CompanyName	Microsoft Corporation
ProductName	Microsoft(R) Windows NT(R) Operating System
ProductVersion	5.6.8.577
FileDescription	Microsoft Wall Even Right
OriginalFilename	come.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4760 Parent PID: 5648

General

Start time:	10:12:43
Start date:	06/06/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\soft.dll'
Imagebase:	0xe30000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 2292 Parent PID: 4760

General

Start time:	10:12:44
Start date:	06/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5328 Parent PID: 4760

General

Start time:	10:12:44
Start date:	06/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Imagebase:	0x270000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5348 Parent PID: 2292

General

Start time:	10:12:44
Start date:	06/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Imagebase:	0x270000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5908 Parent PID: 4760

General

Start time:	10:12:48
Start date:	06/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop
Imagebase:	0x270000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5912 Parent PID: 4760

General

Start time:	10:12:53
Start date:	06/06/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad
Imagebase:	0x270000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report soft.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 4760 Parent PID: 5648

General

Analysis Process: cmd.exe PID: 2292 Parent PID: 4760

General

Analysis Process: rundll32.exe PID: 5328 Parent PID: 4760

General