Windows Analysis Report SecuriteInfo.com.Trojan.Loader.788.32290.4876
Overview
General Information
Sample Name: | SecuriteInfo.com.Trojan.Loader.788.32290.4876 (renamed file extension from 4876 to dll) |
Analysis ID: | 483796 |
MD5: | ab4dabb7296c60f618a8bba9ec194659 |
SHA1: | 3a71cbe4e689eab68fb642bb94a4995102b03a9d |
SHA256: | 58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b |
Tags: | dll |
Infos: | |
Most interesting Screenshot: |
Detection
Score: | 56 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Antivirus / Scanner detection for submitted sample | Show sources |
Source: | Avira: |
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | File created: | Jump to behavior |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread delayed: |
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: | ||
Source: | Process queried: | ||
Source: | Process queried: | ||
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: |
Source: | Process created: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection12 | Rundll321 | Input Capture1 | Query Registry1 | Remote Services | Input Capture1 | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion11 | LSASS Memory | Security Software Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection12 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Obfuscated Files or Information1 | NTDS | Virtualization/Sandbox Evasion11 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | System Information Discovery1 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | Remote System Discovery1 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
42% | Virustotal | Browse | ||
75% | ReversingLabs | Win32.Trojan.Spynoon | ||
100% | Avira | TR/Injector.nhqlj |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 483796 |
Start date: | 15.09.2021 |
Start time: | 13:52:25 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | SecuriteInfo.com.Trojan.Loader.788.32290.4876 (renamed file extension from 4876 to dll) |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 35 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal56.winDLL@12/12@0/0 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
13:53:35 | API Interceptor | |
13:53:38 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12054 |
Entropy (8bit): | 3.7682059970537845 |
Encrypted: | false |
SSDEEP: | 192:RK7ioe0oXuHBUZMX4jed+2/u7sxS274It7cOj:0iVXmBUZMX4jer/u7sxX4It7cOj |
MD5: | 86BD6549A7E27119E4A3E9DDF4A977B7 |
SHA1: | 8CEEA87A087935532EF6FE002D08C88EB5DAC39E |
SHA-256: | 353D6E6BF581AE9EBC69F8FF3407232DCECBC4E76A014765324702A9E832B4AA |
SHA-512: | A7094EEDDC9CC060CDBC03A769C2263B10A33A9884B22FFB6682309D834D27627032CB9BE591C674DAF580DABAEFAD3FB7CE194585B793976BD77C99BF99700B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12058 |
Entropy (8bit): | 3.7663689980206785 |
Encrypted: | false |
SSDEEP: | 192:zjGfie0oXoHBUZMX4jed+W/u7sxS274It7cp:mfioXQBUZMX4jeL/u7sxX4It7cp |
MD5: | FF49F91FF9717087EC08F0DCDA859EA3 |
SHA1: | 3E30A9E01C88CC8F07D9BEF114468C33AB79CE72 |
SHA-256: | F05D1D14B55BE37B5657EF2B7343683FA70F6E2D10D24770D4C7EB865BDB3C4D |
SHA-512: | C820D689C5BFE807905F62484520F55D398721F15DB710D75CD6449DC735FB21C64F9340A6537DDF09A007558D285CFCB1EEE018662A66593F0C598EC6B9A831 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 12056 |
Entropy (8bit): | 3.7692159594188963 |
Encrypted: | false |
SSDEEP: | 192:PiJin0oXpHBUZMX4jed+2/u7sxS274It7cb:PYiZXZBUZMX4jer/u7sxX4It7cb |
MD5: | E901566F9DEFF5EB99704D6C0D368A45 |
SHA1: | 296E07F22C1CF49446AF6C6751A28A27F655B789 |
SHA-256: | C5B61422644920ED8A2FD877283BD9017266B8CA87B3089E2AD0C5AA39C5B58D |
SHA-512: | 0EF020FD7A734B537B475B917593EBA3D590D9F304D4E9B92AC3C37DC15F14A4C01963CD527AF83EF2830BC49738025A475BA20B91DF58053869A66AE9E8EDED |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8350 |
Entropy (8bit): | 3.6936358656587402 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiMV476RT6YsG6Gkgmf8eSULCprD89bASsfbgm:RrlsNiMK76l6Yt6Fgmf8eS0ARf5 |
MD5: | 80F1D885C49D9C1EC8A669A5B64AFF0B |
SHA1: | 62389C2AB6262E29AE4D081F33D3E8F7C70074FD |
SHA-256: | B8DFE63CAAF170279CBE2343571827B37FF21B1026B109938080F2CB089CD902 |
SHA-512: | BEB1E88D158E6334CF561690B90C44F568A3E08DFF8BAE3C709B6BAC914D0E3D5F5976EE2AC78C65A94BA928FC4B4A2B1DB2B5FBD63CA0856A0CFD6642859628 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4771 |
Entropy (8bit): | 4.482621902564733 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsMJgtWI9sKWSC8BB8fm8M4JCds0MFD9G+q8vjs0+/4SrSWd:uITfKTrSN8Jy9KtyDWWd |
MD5: | DF2EBAC1356D5234DBF6BFFEEB831E79 |
SHA1: | 9D4F889F3E18EBA9A3CBF114729448EC223254E4 |
SHA-256: | 78F21DD61CD2CAB39F9E04F62B56FD812B44E38B6A08007C6D25C1060E17D679 |
SHA-512: | C5B26271E8B4569033F8B5A997A3E7639FD21000927888768E21120E59CDC1ACC5E162091408F1C7E86510151E2A1E40C33E295A4D066435700B34D01211FFC6 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 45656 |
Entropy (8bit): | 2.0950508424754974 |
Encrypted: | false |
SSDEEP: | 192:rHJySCjl5KngWoYjOjranVMznIhedXmm7YWo32n/cx:E14gWoYjO0ezgedl7Ykkx |
MD5: | B67508136C326CB677E34B3AAC0F2E3E |
SHA1: | 9C79D30CF3675FAEC5EE7FC81112DE254C0B136C |
SHA-256: | 4D89A57A9B56A60326412F3212205D0E389B6BAB6E99CFCDAA0FED0CA9CB4EFD |
SHA-512: | 11487B622919183CF4B9246AECF6F8E3FFBD21B49E12BCB53CBBA992976609584C3EBB3016FF9D9219F7D2095C0FFB4C624ED64035289F3D9B7F8018CED15327 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44400 |
Entropy (8bit): | 2.1565002610099397 |
Encrypted: | false |
SSDEEP: | 192:Q9jGzCnwipenYYro887/VsnVMznIheF36mXoRwpoZnrAl:YjGzmwipqqtp2ezgeFJXoRwQrAl |
MD5: | 80CAE7E73B80D05DA2C3A26C20BB81E2 |
SHA1: | 26AC82249A95C87C2C66B1B8087970E18552D44E |
SHA-256: | 2E3C888DFBD7D838E3AD431B1C15C94C5FCA00667F7EA1122CDF767DC8C69521 |
SHA-512: | 32F21EDE2621035FFEEE78C8F4B06579D64D73025A885BF5C27B0981543BC41ABC82EE388BDE8073EA545AB1951E6B60F2C315DEDDF99388F4F3A10A48BC6741 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8350 |
Entropy (8bit): | 3.69247674327344 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiCK6OPQsDe6YsJ6Gkgmf8eSULCprP89bO7sfs6m:RrlsNiv6n6YS6Fgmf8eSQOAfQ |
MD5: | 1D722310DA0BE6C77B1A583B512CF5E0 |
SHA1: | 465F562C0D0AFA6FC70C511FD71CEC6552EC42F8 |
SHA-256: | 336E2F48B3D17B8ACDF7B2A307357562C43DD1A1E444E5BC6B6B59716F611589 |
SHA-512: | 7F557348979B3A27C521ED5CA166CDEEF1AF6D1417E2D0EBA35282F627613E7A8E32D35B225ABE38468955DB2CA66CB0BCB36A9E376F76DE5890D0FC4E330D55 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8354 |
Entropy (8bit): | 3.693517483856706 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi+76yPQJ6Yon69gmf8eSULCpr589bO3sfh6m:RrlsNii676YY69gmf8eSWO8fd |
MD5: | 3C9941FD1111189E866CE851CB48BCF5 |
SHA1: | 756CE3AA51FD855CF3EC6EC742F67C187BC0B816 |
SHA-256: | 6D903703B561E450D699A37BE1B3CFED440BDDDB7CBBFA193382A77640DC75E5 |
SHA-512: | 19FB44B078A279DCE10994883690980E7B350C065016BEB5DDB24EDEEFC3747D428FA15D12D7C6C6F240BBEE0A846DDAC9306F1E20E1893CCA427604CEC8A997 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4771 |
Entropy (8bit): | 4.481897753406463 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsMJgtWI9sKWSC8Bpa8fm8M4JCds0MFL+q8vjs0dEzn4SrS1d:uITfKTrSNzJyyKtWDW1d |
MD5: | 01311CAD72C0BC8B0D021426C1971DD5 |
SHA1: | 0C79FCB1CAFEC26B639CFED9713730687693FC2B |
SHA-256: | F83F36E2796F7C4DBFA72217987C73581C3FD0E3E17CCF4F7C18ABADB4DE1C66 |
SHA-512: | CF78EF0988774A1444E862E7DD29F5452434FB4593D9F6E0A5ECF50B5EAB5A5BB603F8476FF7B5771B94A534A0586E7D6084A1B377E6E9EE114FEB5124F12B00 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4771 |
Entropy (8bit): | 4.479597922489219 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsMJgtWI9sKWSC8BR8fm8M4JCds0MFKG+q8vjs0Ln4SrSXd:uITfKTrSNwJyGKtzDWXd |
MD5: | 65E8BF104530B0174CAB4EBA03F0A7F8 |
SHA1: | 0897C25B30107CD27C06E20625DA6D2D3AF8F9D8 |
SHA-256: | 07DA9F76FC3473D8FC60D5661583AF0494EAD0965D4DB9178971154B4899C95C |
SHA-512: | 3E0F3366B89301017B71A82E398B8A950DDE37D1DC1308E1FFD4339975F8464CC195278FC721AC8E275832D7DF0378052414B10D50B4D432AC4B82009422BEF5 |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 48384 |
Entropy (8bit): | 2.0046509514616377 |
Encrypted: | false |
SSDEEP: | 192:IrXzU1AeWpMvnVMznIhe+X8Atfrq0ElzUQEs:gXzm5WpM/ezge+s+f+0EdUs |
MD5: | B05604691E9562343EC1EE6E756758B4 |
SHA1: | 2E1E973EACEF5BF0E7FB4D65D943B41F3B5E06D1 |
SHA-256: | 1313D1C545BC25DA739DBE36796D3FB92D6A1DA037D29DBDF4BBC3E5257B9779 |
SHA-512: | 6DE0B8FD5A28D00BB2D15D2226E71B1B9CE0EDA5C11AD22C439C0A8C506DA430B8494474E935861955F1D75B4DF7F01902BB5BC1763747BE7C3F55C704886D67 |
Malicious: | false |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 4.612809244096079 |
TrID: |
|
File name: | SecuriteInfo.com.Trojan.Loader.788.32290.dll |
File size: | 6144 |
MD5: | ab4dabb7296c60f618a8bba9ec194659 |
SHA1: | 3a71cbe4e689eab68fb642bb94a4995102b03a9d |
SHA256: | 58d3533e94bd90a6aaff46e76f8f264f63aebd84ea246ab5074a32457e3ba39b |
SHA512: | ec791043f95ca06804aed549d3f6414a2605ad85ba7e1d06fd14357a9bd5234ed60cb4f28d89fcc6680801ee8cae2282cdb7c79927d830e15ad9753c8e356b75 |
SSDEEP: | 96:/an1ASk3NDZ+tCiq5RSKKgHCgQNLJ2L8ipKvrD3:/dgqTSHg+d2LKjD3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................sA......................................Rich............................PE..L...O..`...........!....... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10000000 |
Entrypoint Section: | |
Digitally signed: | false |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED |
DLL Characteristics: | NO_SEH, NX_COMPAT |
Time Stamp: | 0x6090924F [Tue May 4 00:16:15 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 68cb0529e8a62fbcd192ffb1ba826877 |
Entrypoint Preview |
---|
Instruction |
---|
dec ebp |
pop edx |
nop |
add byte ptr [ebx], al |
add byte ptr [eax], al |
add byte ptr [eax+eax], al |
add byte ptr [eax], al |
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x21d0 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x2304 | 0xc8 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x2110 | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x2130 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0xf4 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x694 | 0x800 | False | 0.46533203125 | data | 5.07347132918 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x98e | 0xa00 | False | 0.4578125 | data | 4.64118874162 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x354 | 0x200 | False | 0.1171875 | data | 0.557168346014 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
Imports |
---|
DLL | Import |
---|---|
ole32.dll | WriteClassStg, OleMetafilePictFromIconAndLabel, OleCreateEmbeddingHelper, OleDestroyMenuDescriptor, OleSetAutoConvert, MkParseDisplayName, StgIsStorageFile, HBITMAP_UserMarshal, SNB_UserMarshal |
SETUPAPI.dll | SetupLogFileA, SetupQueueDeleteSectionA, SetupQueueRenameSectionA, SetupQueryInfFileInformationA, SetupDiSelectDevice, SetupDiGetHwProfileFriendlyNameW, SetupRemoveInstallSectionFromDiskSpaceListW, SetupDiSetDeviceInstallParamsA |
SHELL32.dll | SHGetMalloc, SHEmptyRecycleBinW, ShellAboutW |
msi.dll | |
IMM32.dll | ImmGetCandidateListA, ImmGetCompositionStringA, ImmUnlockIMCC, ImmEnumRegisterWordW, ImmSimulateHotKey, ImmAssociateContextEx, ImmGetGuideLineW, ImmGetCandidateWindow |
WINMM.dll | joyGetNumDevs, midiInMessage, waveInGetErrorTextA, mmioSetBuffer, midiInGetErrorTextW |
MPR.dll | WNetGetResourceParentW, WNetConnectionDialog1W, WNetConnectionDialog, WNetCancelConnectionW, WNetConnectionDialog1A, WNetAddConnectionA, WNetGetConnectionW |
loadperf.dll | UnloadPerfCounterTextStringsW, LoadPerfCounterTextStringsW |
KERNEL32.dll | GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter |
Exports |
---|
Name | Ordinal | Address |
---|---|---|
uvlcopdlxoed | 1 | 0x10001120 |
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Sep 15, 2021 13:53:22.326680899 CEST | 49199 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:22.378357887 CEST | 53 | 49199 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:53:38.152705908 CEST | 50620 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:38.179976940 CEST | 53 | 50620 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:53:38.358691931 CEST | 64938 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:38.387706041 CEST | 53 | 64938 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:53:41.058829069 CEST | 60152 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:41.089494944 CEST | 53 | 60152 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:53:43.313999891 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:43.342284918 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:53:53.034909964 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:53:53.063045979 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:11.738136053 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:11.774638891 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:17.316159964 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:17.375313997 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:17.997781992 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:18.027889967 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:18.498393059 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:18.588002920 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:18.953603029 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:19.004259109 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:19.098689079 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:19.130696058 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:19.647425890 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:19.691886902 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:20.176201105 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:20.204581976 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:20.712364912 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:20.766977072 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:21.752026081 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:21.781991959 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:22.603535891 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:22.664294958 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:23.369560003 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:23.428080082 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:54:32.449382067 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:54:32.483886957 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:55:10.992928982 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:55:11.026423931 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Sep 15, 2021 13:55:12.790858030 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Sep 15, 2021 13:55:12.834683895 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 13:53:30 |
Start date: | 15/09/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf40000 |
File size: | 116736 bytes |
MD5 hash: | 542795ADF7CC08EFCF675D65310596E8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:30 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:31 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:31 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:34 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:34 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:34 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 13:53:38 |
Start date: | 15/09/2021 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x260000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|