Loading ...

Play interactive tourEdit tour

Windows Analysis Report customResource0009.dll

Overview

General Information

Sample Name:customResource0009.dll
Analysis ID:502666
MD5:46a6d54adb351e5d896c7e47d2f3c572
SHA1:78291aed836797fc4b8048276258834949de6f58
SHA256:6a21df8ba326d4a7f5f1e7870d4090238bcefdbd24142f10b2592f2da54684e6
Infos:

Most interesting Screenshot:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Uses 32bit PE files
PE file contains an invalid checksum
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 664 cmdline: loaddll32.exe 'C:\Users\user\Desktop\customResource0009.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 4436 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 972 cmdline: rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: customResource0009.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: customResource0009.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: customResource0009.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: clean2.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\customResource0009.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
Source: customResource0009.dllStatic file information: File size 2099200 > 1048576
Source: customResource0009.dllStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1f5600
Source: customResource0009.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: customResource0009.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: customResource0009.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: customResource0009.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: customResource0009.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: customResource0009.dllStatic PE information: real checksum: 0x210c9c should be: 0x201665
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 502666 Sample: customResource0009.dll Startdate: 14/10/2021 Architecture: WINDOWS Score: 2 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        process4 10 rundll32.exe 8->10         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
customResource0009.dll0%VirustotalBrowse
customResource0009.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:502666
Start date:14.10.2021
Start time:08:36:50
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 45s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:customResource0009.dll
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean2.winDLL@5/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .dll
  • Override analysis time to 240s for rundll32
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Excluded IPs from analysis (whitelisted): 95.100.216.89, 20.82.210.154, 20.54.110.249, 40.112.88.60, 2.20.178.24, 2.20.178.33, 20.50.102.62
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
08:37:53API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):2.516376810806406
TrID:
  • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
  • Generic Win/DOS Executable (2004/3) 0.20%
  • DOS Executable Generic (2002/1) 0.20%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:customResource0009.dll
File size:2099200
MD5:46a6d54adb351e5d896c7e47d2f3c572
SHA1:78291aed836797fc4b8048276258834949de6f58
SHA256:6a21df8ba326d4a7f5f1e7870d4090238bcefdbd24142f10b2592f2da54684e6
SHA512:2f987317c46f9e36cfc94747f9578a03850a3632b5105451dc737c962916431b16ed896eb675b7207eb2957ec9ad051829b0e305dc0276a855ea92b2c4b42580
SSDEEP:3072:zIXatRRGzPVA8Oxp0he0npsMv1gcORJUB+0nJUIy:zIbq8Oxp0he0nyMKcORJUB+0ny
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......it.r-.s!-.s!-.s!$m.!4.s!$m.!=.s!...!..s!-.r!d.s!$m.!d.s!3G.!,.s!$m.!,.s!Rich-.s!........PE..L......Y...........!.....d.........

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10001233
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x10000000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:0x59E4C0D7 [Mon Oct 16 14:23:19 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:0
File Version Major:5
File Version Minor:0
Subsystem Version Major:5
Subsystem Version Minor:0
Import Hash:d0b0ab81bf0e4cd20070f6525db9fd67

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
    Subject Chain
      Version:
      Thumbprint MD5:
      Thumbprint SHA-1:
      Thumbprint SHA-256:
      Serial:

      Entrypoint Preview

      Instruction
      mov edi, edi
      push ebp
      mov ebp, esp
      cmp dword ptr [ebp+0Ch], 01h
      jne 00007FA470776997h
      call 00007FA470777F9Eh
      push dword ptr [ebp+08h]
      mov ecx, dword ptr [ebp+10h]
      mov edx, dword ptr [ebp+0Ch]
      call 00007FA470776881h
      pop ecx
      pop ebp
      retn 000Ch
      mov edi, edi
      push ebp
      mov ebp, esp
      push esi
      push dword ptr [1000A004h]
      mov esi, dword ptr [10008010h]
      call esi
      test eax, eax
      je 00007FA4707769B3h
      mov eax, dword ptr [1000A000h]
      cmp eax, FFFFFFFFh
      je 00007FA4707769A9h
      push eax
      push dword ptr [1000A004h]
      call esi
      call eax
      test eax, eax
      je 00007FA47077699Ah
      mov eax, dword ptr [eax+000001F8h]
      jmp 00007FA4707769B9h
      mov esi, 1000812Ch
      push esi
      call dword ptr [10008008h]
      test eax, eax
      jne 00007FA47077699Dh
      push esi
      call 00007FA4707770BEh
      pop ecx
      test eax, eax
      je 00007FA4707769AAh
      push 1000811Ch
      push eax
      call dword ptr [1000800Ch]
      test eax, eax
      je 00007FA47077699Ah
      push dword ptr [ebp+08h]
      call eax
      mov dword ptr [ebp+08h], eax
      mov eax, dword ptr [ebp+08h]
      pop esi
      pop ebp
      ret
      push 00000000h
      call 00007FA47077691Ch
      pop ecx
      ret
      mov edi, edi
      push ebp
      mov ebp, esp
      push esi
      push dword ptr [1000A004h]
      mov esi, dword ptr [10008010h]
      call esi
      test eax, eax
      je 00007FA4707769B3h
      mov eax, dword ptr [1000A000h]
      cmp eax, FFFFFFFFh
      je 00007FA4707769A9h
      push eax
      push dword ptr [1000A004h]

      Rich Headers

      Programming Language:
      • [ASM] VS2008 SP1 build 30729
      • [ C ] VS2008 SP1 build 30729
      • [IMP] VS2005 build 50727
      • [RES] VS2008 build 21022
      • [LNK] VS2008 SP1 build 30729
      • [C++] VS2008 SP1 build 30729

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x955c0x28.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x1f54f4.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x2006000x3ff0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2020000x6d4.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x92600x40.rdata
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x80000xec.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x63440x6400False0.61140625COM executable for DOS6.57669403614IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .rdata0x80000x1aac0x1c00False0.338588169643data5.34181229543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0xa0000x181c0xe00False0.220982142857data2.25864871023IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0xc0000x1f54f40x1f5600False0.027705061082data2.33990762536IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x2020000x1fbe0x2000False0.191528320312data2.06954453639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_BITMAP0xc3540xa2562dataEnglishUnited States
      RT_BITMAP0xae8b80x2318dataEnglishUnited States
      RT_BITMAP0xb0bd00x2318dataEnglishUnited States
      RT_BITMAP0xb2ee80x2318dataEnglishUnited States
      RT_BITMAP0xb52000x109de2dataEnglishUnited States
      RT_BITMAP0x1befe40x28a68dataEnglishUnited States
      RT_BITMAP0x1e7a4c0x19040dataEnglishUnited States
      RT_STRING0x200a8c0x5a8dataEnglishUnited States
      RT_VERSION0x2010340x364dataEnglishUnited States
      RT_MANIFEST0x2013980x15aASCII text, with CRLF line terminatorsEnglishUnited States

      Imports

      DLLImport
      KERNEL32.dllGetCurrentThreadId, GetCommandLineA, GetModuleHandleW, GetProcAddress, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetLastError, InterlockedDecrement, HeapFree, Sleep, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, VirtualAlloc, HeapReAlloc, WriteFile, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, LoadLibraryA, InitializeCriticalSectionAndSpinCount, RtlUnwind, GetLocaleInfoA, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, LCMapStringA, LCMapStringW, HeapSize

      Version Infos

      DescriptionData
      LegalCopyrightCopyright 2003-2017. All Rights Reserved.
      InternalNamecustomResourceEng
      FileVersion17.5.0.170
      CompanyNameNational Instruments
      ProductNameNational Instruments Installer
      ProductVersion17.5.0
      FileDescriptionEnglish (U.S.) Resources
      OriginalFilenamecustomResource0009.dll

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      EnglishUnited States

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      Behavior

      Click to jump to process

      System Behavior

      General

      Start time:08:37:53
      Start date:14/10/2021
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe 'C:\Users\user\Desktop\customResource0009.dll'
      Imagebase:0xf0000
      File size:893440 bytes
      MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:moderate

      General

      Start time:08:37:53
      Start date:14/10/2021
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
      Imagebase:0x870000
      File size:232960 bytes
      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      General

      Start time:08:37:54
      Start date:14/10/2021
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe 'C:\Users\user\Desktop\customResource0009.dll',#1
      Imagebase:0x60000
      File size:61952 bytes
      MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high

      Disassembly

      Code Analysis

      Reset < >