Windows Analysis Report VolumeConverter.dll

ID:	502669
Product:	CloudBasic
Start time:	08:44:09
Start date:	14.10.2021
Sample:	VolumeConverter.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	fc505773010d767cc1eca83c1df804cb
SHA1:	6de72a38a4e8dd0dade2cae8566fbd885123bb4a
SHA256:	50711c59f53e618c7b3aefabea49f6355ef63ced5c217c3ab2f0be74aa45796c
Filetype:	Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 44.80%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: VolumeConverter.dll

Virustotal: Detection: 28%

Perma Link

Compliance:

Uses 32bit PE files

Source: VolumeConverter.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: VolumeConverter.dll

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Binary contains paths to debug symbols

Source:

Binary string: VolumeConverter.pdb source: VolumeConverter.dll

System Summary:

Uses 32bit PE files

Source: VolumeConverter.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Sample is known by Antivirus

Source: VolumeConverter.dll

Virustotal: Detection: 28%

PE file has an executable .text section and no other executable section

Source: VolumeConverter.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Classification label

Source: classification engine

Classification label: mal52.evad.winDLL@5/0@0/0

Runs a DLL by calling functions

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1			Jump to behavior

.NET source code contains calls to encryption/decryption functions

Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs	Cryptographic APIs: 'CreateDecryptor'
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs	Cryptographic APIs: 'CreateDecryptor'

PE file contains a COM descriptor data directory

Source: VolumeConverter.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: VolumeConverter.dll

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

PE file contains a debug data directory

Source: VolumeConverter.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: VolumeConverter.pdb source: VolumeConverter.dll

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs

.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

Binary contains a suspicious time stamp

Source: VolumeConverter.dll

Static PE information: 0xE3671BCB [Fri Nov 24 05:42:35 2090 UTC]

.NET source code contains many randomly named methods

Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs	High entropy of concatenated method names: '.cctor', 'yj0yHNuMrdpao', 'vkvqDuToQ', 'mrRwKpaeG', 'ePe66v97i', 'LOhH8kIuQ', 'OnjGyypT5', 'z0qpR2EH5', 'NKWZeaNup', 'AJF3hU2Kt'
Source: VolumeConverter.dll, VolumeConverter/volumeConverter.cs	High entropy of concatenated method names: '.ctor', 'HvNJVTSIf', 'zSZ4Odeln', 'Dispose', 'QLRvPUjC1', 'g8N7k6PVPZscc8xn6k', 'gX6EmcZJUjQFlks9cF', 'nMm0ETqL131gGHwf38', 'TcrFfqspiWR1dIdcHd', 'aPQv2Bw4MYLAtN3TMb'
Source: VolumeConverter.dll, ss/ff.cs	High entropy of concatenated method names: 'tIorFj6tD', 'gVdjINcNQ', 'vr0I6VLFM', 'dd', '.cctor', 'RMWchDXxxUZSmyN6ug', 'Gr4MufHA1NoZ7FuyRH', 'BuneWGTh51JfvPm2ci', 'iGZ2Zttd9SIKxE4qlG', 'I2eNcn0uqlUSJImKfc'

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Anti Debugging:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1

Jump to behavior