Windows Analysis Report customResource0009.dll
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
No Sigma rule has matched |
---|
Jbx Signature Overview |
---|
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Classification label: |
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Thread delayed: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Process created: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | Path Interception | Process Injection11 | Rundll321 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Virtualization/Sandbox Evasion1 | LSASS Memory | System Information Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Process Injection11 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 33.0.0 White Diamond |
Analysis ID: | 502666 |
Start date: | 14.10.2021 |
Start time: | 08:36:50 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 45s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | customResource0009.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 30 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | CLEAN |
Classification: | clean2.winDLL@5/0@0/0 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:37:53 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
No created / dropped files found |
---|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 2.516376810806406 |
TrID: |
|
File name: | customResource0009.dll |
File size: | 2099200 |
MD5: | 46a6d54adb351e5d896c7e47d2f3c572 |
SHA1: | 78291aed836797fc4b8048276258834949de6f58 |
SHA256: | 6a21df8ba326d4a7f5f1e7870d4090238bcefdbd24142f10b2592f2da54684e6 |
SHA512: | 2f987317c46f9e36cfc94747f9578a03850a3632b5105451dc737c962916431b16ed896eb675b7207eb2957ec9ad051829b0e305dc0276a855ea92b2c4b42580 |
SSDEEP: | 3072:zIXatRRGzPVA8Oxp0he0npsMv1gcORJUB+0nJUIy:zIbq8Oxp0he0nyMKcORJUB+0ny |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......it.r-.s!-.s!-.s!$m.!4.s!$m.!=.s!...!..s!-.r!d.s!$m.!d.s!3G.!,.s!$m.!,.s!Rich-.s!........PE..L......Y...........!.....d......... |
File Icon |
---|
Icon Hash: | 74f0e4ecccdce0e4 |
Static PE Info |
---|
General | |
---|---|
Entrypoint: | 0x10001233 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | |
Time Stamp: | 0x59E4C0D7 [Mon Oct 16 14:23:19 2017 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | d0b0ab81bf0e4cd20070f6525db9fd67 |
Authenticode Signature |
---|
Signature Valid: | |
Signature Issuer: | |
Signature Validation Error: | |
Error Number: | |
Not Before, Not After | |
Subject Chain | |
Version: | |
Thumbprint MD5: | |
Thumbprint SHA-1: | |
Thumbprint SHA-256: | |
Serial: |
Entrypoint Preview |
---|
Instruction |
---|
mov edi, edi |
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FA470776997h |
call 00007FA470777F9Eh |
push dword ptr [ebp+08h] |
mov ecx, dword ptr [ebp+10h] |
mov edx, dword ptr [ebp+0Ch] |
call 00007FA470776881h |
pop ecx |
pop ebp |
retn 000Ch |
mov edi, edi |
push ebp |
mov ebp, esp |
push esi |
push dword ptr [1000A004h] |
mov esi, dword ptr [10008010h] |
call esi |
test eax, eax |
je 00007FA4707769B3h |
mov eax, dword ptr [1000A000h] |
cmp eax, FFFFFFFFh |
je 00007FA4707769A9h |
push eax |
push dword ptr [1000A004h] |
call esi |
call eax |
test eax, eax |
je 00007FA47077699Ah |
mov eax, dword ptr [eax+000001F8h] |
jmp 00007FA4707769B9h |
mov esi, 1000812Ch |
push esi |
call dword ptr [10008008h] |
test eax, eax |
jne 00007FA47077699Dh |
push esi |
call 00007FA4707770BEh |
pop ecx |
test eax, eax |
je 00007FA4707769AAh |
push 1000811Ch |
push eax |
call dword ptr [1000800Ch] |
test eax, eax |
je 00007FA47077699Ah |
push dword ptr [ebp+08h] |
call eax |
mov dword ptr [ebp+08h], eax |
mov eax, dword ptr [ebp+08h] |
pop esi |
pop ebp |
ret |
push 00000000h |
call 00007FA47077691Ch |
pop ecx |
ret |
mov edi, edi |
push ebp |
mov ebp, esp |
push esi |
push dword ptr [1000A004h] |
mov esi, dword ptr [10008010h] |
call esi |
test eax, eax |
je 00007FA4707769B3h |
mov eax, dword ptr [1000A000h] |
cmp eax, FFFFFFFFh |
je 00007FA4707769A9h |
push eax |
push dword ptr [1000A004h] |
Rich Headers |
---|
Programming Language: |
|
Data Directories |
---|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x955c | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xc000 | 0x1f54f4 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x200600 | 0x3ff0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x202000 | 0x6d4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x9260 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x8000 | 0xec | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Sections |
---|
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x6344 | 0x6400 | False | 0.61140625 | COM executable for DOS | 6.57669403614 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x8000 | 0x1aac | 0x1c00 | False | 0.338588169643 | data | 5.34181229543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xa000 | 0x181c | 0xe00 | False | 0.220982142857 | data | 2.25864871023 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0xc000 | 0x1f54f4 | 0x1f5600 | False | 0.027705061082 | data | 2.33990762536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x202000 | 0x1fbe | 0x2000 | False | 0.191528320312 | data | 2.06954453639 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Resources |
---|
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0xc354 | 0xa2562 | data | English | United States |
RT_BITMAP | 0xae8b8 | 0x2318 | data | English | United States |
RT_BITMAP | 0xb0bd0 | 0x2318 | data | English | United States |
RT_BITMAP | 0xb2ee8 | 0x2318 | data | English | United States |
RT_BITMAP | 0xb5200 | 0x109de2 | data | English | United States |
RT_BITMAP | 0x1befe4 | 0x28a68 | data | English | United States |
RT_BITMAP | 0x1e7a4c | 0x19040 | data | English | United States |
RT_STRING | 0x200a8c | 0x5a8 | data | English | United States |
RT_VERSION | 0x201034 | 0x364 | data | English | United States |
RT_MANIFEST | 0x201398 | 0x15a | ASCII text, with CRLF line terminators | English | United States |
Imports |
---|
DLL | Import |
---|---|
KERNEL32.dll | GetCurrentThreadId, GetCommandLineA, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetLastError, InterlockedDecrement, HeapFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, VirtualAlloc, HeapReAlloc, WriteFile, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LoadLibraryA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize |
Version Infos |
---|
Description | Data |
---|---|
LegalCopyright | Copyright 2003-2017. All Rights Reserved. |
InternalName | customResourceEng |
FileVersion | 17.5.0.170 |
CompanyName | National Instruments |
ProductName | National Instruments Installer |
ProductVersion | 17.5.0 |
FileDescription | English (U.S.) Resources |
OriginalFilename | customResource0009.dll |
Possible Origin |
---|
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:37:53 |
Start date: | 14/10/2021 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf0000 |
File size: | 893440 bytes |
MD5 hash: | 72FCD8FB0ADC38ED9050569AD673650E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 08:37:53 |
Start date: | 14/10/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x870000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:37:54 |
Start date: | 14/10/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x60000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|