Windows Analysis Report customResource0009.dll

Overview

General Information

Sample Name: customResource0009.dll
Analysis ID: 502666
MD5: 46a6d54adb351e5d896c7e47d2f3c572
SHA1: 78291aed836797fc4b8048276258834949de6f58
SHA256: 6a21df8ba326d4a7f5f1e7870d4090238bcefdbd24142f10b2592f2da54684e6
Infos:

Most interesting Screenshot:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Uses 32bit PE files
PE file contains an invalid checksum
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Compliance:

barindex
Uses 32bit PE files
Source: customResource0009.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

System Summary:

barindex
Uses 32bit PE files
Source: customResource0009.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: customResource0009.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: clean2.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\customResource0009.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1 Jump to behavior
Source: customResource0009.dll Static file information: File size 2099200 > 1048576
Source: customResource0009.dll Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f5600
Source: customResource0009.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: customResource0009.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: customResource0009.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: customResource0009.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: customResource0009.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: customResource0009.dll Static PE information: real checksum: 0x210c9c should be: 0x201665
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1 Jump to behavior
No contacted IP infos