Loading ...

Play interactive tourEdit tour

Windows Analysis Report VolumeConverter.dll

Overview

General Information

Sample Name:VolumeConverter.dll
Analysis ID:502669
MD5:fc505773010d767cc1eca83c1df804cb
SHA1:6de72a38a4e8dd0dade2cae8566fbd885123bb4a
SHA256:50711c59f53e618c7b3aefabea49f6355ef63ced5c217c3ab2f0be74aa45796c
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
.NET source code contains method to dynamically call methods (often used by packers)
Uses 32bit PE files
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Binary contains a suspicious time stamp

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6492 cmdline: loaddll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 5940 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6072 cmdline: rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: VolumeConverter.dllVirustotal: Detection: 28%Perma Link
Source: VolumeConverter.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: VolumeConverter.dllStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: VolumeConverter.pdb source: VolumeConverter.dll
Source: VolumeConverter.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: VolumeConverter.dllVirustotal: Detection: 28%
Source: VolumeConverter.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal52.evad.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1Jump to behavior
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.csCryptographic APIs: 'CreateDecryptor'
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.csCryptographic APIs: 'CreateDecryptor'
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.csCryptographic APIs: 'CreateDecryptor'
Source: VolumeConverter.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: VolumeConverter.dllStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: VolumeConverter.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: VolumeConverter.pdb source: VolumeConverter.dll

Data Obfuscation:

barindex
.NET source code contains method to dynamically call methods (often used by packers)Show sources
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.cs.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: VolumeConverter.dllStatic PE information: 0xE3671BCB [Fri Nov 24 05:42:35 2090 UTC]
Source: VolumeConverter.dll, UyYuAtIRQWAJPkvDuT/FufmmOjfqBMhsFZBIN.csHigh entropy of concatenated method names: '.cctor', 'yj0yHNuMrdpao', 'vkvqDuToQ', 'mrRwKpaeG', 'ePe66v97i', 'LOhH8kIuQ', 'OnjGyypT5', 'z0qpR2EH5', 'NKWZeaNup', 'AJF3hU2Kt'
Source: VolumeConverter.dll, VolumeConverter/volumeConverter.csHigh entropy of concatenated method names: '.ctor', 'HvNJVTSIf', 'zSZ4Odeln', 'Dispose', 'QLRvPUjC1', 'g8N7k6PVPZscc8xn6k', 'gX6EmcZJUjQFlks9cF', 'nMm0ETqL131gGHwf38', 'TcrFfqspiWR1dIdcHd', 'aPQv2Bw4MYLAtN3TMb'
Source: VolumeConverter.dll, ss/ff.csHigh entropy of concatenated method names: 'tIorFj6tD', 'gVdjINcNQ', 'vr0I6VLFM', 'dd', '.cctor', 'RMWchDXxxUZSmyN6ug', 'Gr4MufHA1NoZ7FuyRH', 'BuneWGTh51JfvPm2ci', 'iGZ2Zttd9SIKxE4qlG', 'I2eNcn0uqlUSJImKfc'
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\VolumeConverter.dll',#1Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonTimestomp1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502669 Sample: VolumeConverter.dll Startdate: 14/10/2021 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for submitted file 2->13 15 .NET source code contains method to dynamically call methods (often used by packers) 2->15 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.