Windows
Analysis Report
62835e34e60c1.dll
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
- loaddll32.exe (PID: 7012 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\628 35e34e60c1 .dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 7064 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\628 35e34e60c1 .dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 7120 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\6283 5e34e60c1. dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - WerFault.exe (PID: 1448 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 012 -s 400 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 6480 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 012 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 3272 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 7 012 -s 436 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
- cleanup
{"RSA Public Key": "uFHdIp1dwWhvkEA2yTiBbeuMW6YDB1lsKD5xr+wbKQpSTgCxKW/AXnU7L/HiYIBOAaOvelJb2/pY2jRw/FTeNeGEktAn4DWXMKOPXXT0NA64cjWTlmZ01c3ZQu3caOM/Vp3zMRoE3uvOCFkw5pB9m5AVXCHf7c66rMBTCpzNlB06TLav0Zslv7QoNXagpBRObC3w6aRV9zoEMPsKo8dDtjcXrpjT3cmo/nK2BeLeCRHw4m+Z1wNt/QFKG0JSvLN7KWGp2TqLTGCk8sWmJopJGBcCeH8dEEcUduFFgdi8Cilu/K4cd0diqylW1QdRW2VJSAgt/TyNLQ8XGjESLVVFp5dI5rtAU8yovXe+vZ9IsF8=", "c2_domain": ["config.edge.skype.com", "185.189.151.28", "185.189.151.70"], "botnet": "3000", "server": "50", "serpent_key": "noA8W2qeaw7z6wk9", "sleep_time": "1", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 6 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |
Timestamp: | 192.168.2.513.107.43.1649772802033203 05/17/22-10:46:47.467879 |
SID: | 2033203 |
Source Port: | 49772 |
Destination Port: | 80 |
Protocol: | TCP |
Classtype: | A Network Trojan was detected |
Click to jump to signature section
AV Detection |
---|
Source: | Malware Configuration Extractor: |
Source: | Virustotal: | Perma Link | ||
Source: | ReversingLabs: |
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Source: | Code function: |
Source: | Static PE information: |
Source: | Binary string: |
Networking |
---|
Source: | Network Connect: | ||
Source: | Network Connect: |
Source: | Snort IDS: |
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: | ||
Source: | ASN Name: |
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: |
Source: | Code function: |
Key, Mouse, Clipboard, Microphone and Screen Capturing |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Binary or memory string: |
E-Banking Fraud |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Code function: |
System Summary |
---|
Source: | WMI Registry write: | ||
Source: | WMI Registry write: | ||
Source: | WMI Registry write: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Virustotal: | ||
Source: | ReversingLabs: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Static PE information: |
Source: | Code function: |
Source: | Static PE information: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion |
---|
Source: | Evasive API call chain: |
Source: | Check user administrative privileges: |
Anti Debugging |
---|
Source: | Debugger detection routine: |
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | ||
Source: | Network Connect: |
Source: | Process created: |
Source: | Code function: |
Source: | Key value queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Stealing of Sensitive Information |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Remote Access Functionality |
---|
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: | ||
Source: | File source: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Windows Management Instrumentation | Path Interception | 111 Process Injection | 11 Virtualization/Sandbox Evasion | 1 Input Capture | 1 System Time Discovery | Remote Services | 1 Input Capture | Exfiltration Over Other Network Medium | 2 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | 1 Data Encrypted for Impact |
Default Accounts | 12 Native API | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | 111 Process Injection | LSASS Memory | 1 Query Registry | Remote Desktop Protocol | 11 Archive Collected Data | Exfiltration Over Bluetooth | 1 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 1 Obfuscated Files or Information | Security Account Manager | 11 Security Software Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Rundll32 | NTDS | 11 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Software Packing | LSA Secrets | 1 Process Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Steganography | Cached Domain Credentials | 1 Account Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Compile After Delivery | DCSync | 1 System Owner/User Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 1 Remote System Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | 114 System Information Discovery | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
28% | Virustotal | Browse | ||
29% | ReversingLabs | Win32.Trojan.Generic | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/Crypt.XPACK.Gen | Download File | ||
100% | Avira | HEUR/AGEN.1245293 | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.189.151.70 | unknown | Switzerland | 51395 | AS-SOFTPLUSCH | true | |
185.189.151.28 | unknown | Switzerland | 51395 | AS-SOFTPLUSCH | true |
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 628111 |
Start date and time: 17/05/202210:56:45 | 2022-05-17 10:56:45 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 34s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | 62835e34e60c1.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.evad.winDLL@8/12@0/3 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe
- Excluded IPs from analysis (whitelisted): 13.107.42.16, 20.42.73.29, 104.208.16.94, 20.223.24.244
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net, onedsblobprdcus16.centralus.cloudapp.azure.com
- Not all processes where analyzed, report is missing behavior information
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_99e41d792528612ced890929ed2335749e1b7_7cac0383_0c9233db\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7459414164550618 |
Encrypted: | false |
SSDEEP: | 96:M5fFbpI8nYy3y9hayCjmfIpXIQcQOgc6OIcEkcw3Ck+a+z+HbHgbVG4rmMXL9iVH:ApiknJHn1Orj4q/u7svS274ItW |
MD5: | 765ABBA6C1660E911C54330A7BC1606F |
SHA1: | E3376463E7F382EC0C345788F105D15C30BC2987 |
SHA-256: | C408348921E14A33A4213937A6E97F7C6D0455E8092E5BF88F0CD8EDD8C4B60C |
SHA-512: | 35E23E8F51666B6D37A83BE1ED82EEAE9694E2BBD45A29BE6A765E7F10E266D821D44F406BDBD146E338978EE1FCA9D79E1B78AD0B81FD8D2C350C629FB95D26 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_b48bc1255c8639c941b68601e9389dc647932d2_7cac0383_190a0077\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7493456943059427 |
Encrypted: | false |
SSDEEP: | 96:deWFMI8nYyby9haot7JnxpXIQcQac6pcEccw35+a+z+HbHgbVG4rmMXL9iVff9oO:jpkncH0tGtj4q/u7svS274ItW |
MD5: | 7D5CDADEA445D9FC80F3C13462755C58 |
SHA1: | 0801623B83DCF91DEFF26BF39AFC4356CB62C2E7 |
SHA-256: | 655C3E14724676AD2FB212AA4B58FAB14CFFB44B9549B560AB1F05F3D1D5855C |
SHA-512: | FD575CC9EC555B93190C7EEF30E31363CE9C3A1CE4E2F7BFA77AD91EFEDDBB93963B0EBB745ACBD2615C71C70656915835D279509FE4FAD376670097E415334E |
Malicious: | false |
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_cb7b105113bf417cfd7547dda3de839a49ae23_7cac0383_05f1cc86\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.742784995343186 |
Encrypted: | false |
SSDEEP: | 96:XBVI8nYyMy9hayCj+kSZpXIQcQac6pcEccw35+a+z+HbHgbVG4rmMXL9iVff9oUN:xWkn1H0tGtj4q/u7sUS274Itb |
MD5: | C3EDDDA902C0A9EB58F7A8088BBC0654 |
SHA1: | 6235DF8E9B1704627AF3CD10857399394ADBBF5F |
SHA-256: | 7EBA5EEB36AB7086F59A397DF3E4FDF32085CEC5F3929858648A0673DC550119 |
SHA-512: | 563FD41B72D13E28600F38B2D8DC172E08532436F43D56A9DBA919BF3ED1B9387C3673818313B0716E21E99F6CB6C329C37697D3839EC037677478F4B1086FD2 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8294 |
Entropy (8bit): | 3.6913930970467996 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi+164PH6Yf9SUWH4gmfZSyo/TCpDh89byLsfWGm:RrlsNiE6uH6YVSUWH4gmfZSPyQfu |
MD5: | E8BC5D3AF4FF0FE23D838738B13F56F9 |
SHA1: | 6A924900D3833090E57DDE40B0CD4B7EBA650D60 |
SHA-256: | 2741B81315AB5E1DB21A0AE15AB78AC2D9F3770B440DA330AF145EE624034744 |
SHA-512: | 7D1DE823D290726DDB8471ED60930F3C4753402303BA16CB331500296ADED4B19F7C7D6B592474B588E637BB73A287B3B576B03329B13C02BBB16686762AD9A3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4564 |
Entropy (8bit): | 4.429145263681937 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsMJgtWI9DrWgc8sqYjL8fm8M4J2+EXFWwh+q84Pv3JMKcQIcQw0Ld:uITfKAagrsqYEJGQ2L3aKkw0Ld |
MD5: | 61AE258A83B79F03B5D4686B81BF3C78 |
SHA1: | C10E2BA375AAE565073FBF01F6A119FBEDF026BC |
SHA-256: | CA4FB2889B03A7E961E0A1612A5973326AB83F3CC4DBE7843CA03BFAFEF95ABC |
SHA-512: | 6ECF08C81D944972DE5FF08F590AAA312F7897AC74ECE5B92C308DF8AD1D02F18660040E814F86F89684381760C37BE67C12F6960F1B2DE47AB61597FDCC9AC9 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 34166 |
Entropy (8bit): | 2.1035543431161714 |
Encrypted: | false |
SSDEEP: | 192:vvH3NdZ1zOs2ihEzmXe9qK9Rw8+M3DkhWj:nfqsYGK//PG |
MD5: | 321951AD431A22ECB02EC4C832337B0F |
SHA1: | 899351B6A09EAAB03C6530421F8FBA9E8D404ABC |
SHA-256: | 670CE2681CA71E7DC314175F0BC65E67B0D3D166BD27895B3E947D432B91E8F6 |
SHA-512: | ED51901C528CC6C3B34ED598B906AE0CEAB14752FEAC869BB1943375BB6B0EA23B4997F3DAFC939FDDE60D321693EB2EB692AD710F9200D0DC53C80315D403ED |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 46970 |
Entropy (8bit): | 2.3221277094345067 |
Encrypted: | false |
SSDEEP: | 192:dW4HNd5z+OsglOGRS4oWl/9HTPHgr+bmWnhEzpXe9qW9a566ZrugozGA3+:r5s8d441B7NbmfZWQW5+ |
MD5: | BAD8D6ECD0F042F5983B68752F3A24E6 |
SHA1: | F5BD68A8FA65BF71E2611E035C98148BA2340518 |
SHA-256: | B7E0DEA36E791094438C940D435A2AF06CDD7A1F456A0F2F9F4EB6536F16BD3B |
SHA-512: | 2FD7275CFC63A62FC779213AE991172728B3F3E1A8744D8160A3087699BB76B08BC283F0DE5B8F67B0ADA0E55E3B44259EFBAF05239512DF0CE4FCAB590A46D4 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8350 |
Entropy (8bit): | 3.686646157743096 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi+H6G86YfzSU8igmf2Sno/TCpNd89b1j1flKnm:RrlsNi+6G86YbSU8igmf2Sw1RfJ |
MD5: | 00F02820FA5568092CDDA377BEDE9E8B |
SHA1: | D2FDCEC39887814BA0066857D0F49A0C6FD52086 |
SHA-256: | 82C2D7DE8D4A309D18F6F8A79DAAACF86F0CBC25E6925CF8709B35C6999BFB5D |
SHA-512: | 9D93367B52E7BC241B41AFF85F2DCA91E49E64A295E062ABF0EEE8C79D287A312C64E360A67CC5AAE27133582D884CC55DBEB31A12E047E555C364981C7A781D |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4665 |
Entropy (8bit): | 4.416373864582268 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsPAiJgtWI9DrWgc8sqYj48fm8M4J2+IkFY2m+q8vQ+IyJMKcQIcQw0Kd:uITfNAagrsqYBJi52mKkyaKkw0Kd |
MD5: | 1335CE8EDCDBDFE5A328FAF185FF5A01 |
SHA1: | DA1A80FB00F6779880E5288D7AF626524940878D |
SHA-256: | A3CB996D41C8D306D585F0341A1196C21D66C21F2A3397087602F476C6FA7489 |
SHA-512: | 0ADBA7B788F7FE0D02C5F606BCABA535D6DB5CE69F9D5619AF12F272D1EBBB60699C6C271B834C1A01A08C2E70BCBD6F2D13DB09D3421C1439DB000BF27028C5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 33966 |
Entropy (8bit): | 2.0439214950087936 |
Encrypted: | false |
SSDEEP: | 192:LQyNdHV7OsuhEzuXebqL9+3/9Wvk75C9yW1AYef:90sfwLEP4c |
MD5: | 102E4EC10D7F33243C895BDBB8871D5B |
SHA1: | 222F72EA0B61B9B144450C6E1D77E280920F8463 |
SHA-256: | 9801DF46E16FF2617F44FFAE37CF38B434E6C0597F49EAC4E163E2076336B6B1 |
SHA-512: | B86E207FC9B691870615ABE6B54660E9914468485C19AE123A8CC13C6210ED03AECDE6315C6339E26A99381E993C9905F7C0CB043832A359AC75C7444006B678 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8338 |
Entropy (8bit): | 3.6985279071998045 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNi+I6Ak6YfySUjbgmfWSno/TCprD89bGLsfxCm:RrlsNiJ6Ak6YqSUjbgmfWS4GQfV |
MD5: | 6998C94DAD75CFD4AE57B64851BFEE5A |
SHA1: | DDC4E1A9FD39F46DA4E7BC8EAEAB9CEDD7B7275C |
SHA-256: | FA08358DE1023D4778B0D08CEC9BE6C670645A93DCDCC3C73DF31EDA02DDF9CF |
SHA-512: | 5771D2D02EFCB51E39A8B803958078F7872025F0C85311DE08EF5EAB4DA7BF385BF35F4428089DA63048C1090D5A6270DD3632D45DF49EDC5775BDAA4D31ED94 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4598 |
Entropy (8bit): | 4.46788112177361 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsPAiJgtWI9DrWgc8sqYje8fm8M4J2+pZFdFW8+q8490ZJMKcQIcQw0Ld:uITfNAagrsqY/JX3PeZaKkw0Ld |
MD5: | 9B741B1FF771D0D7427B36E6630DB971 |
SHA1: | 6A359A19A5F4C8217B2BD276BF577F8AB67E20C8 |
SHA-256: | C16E4AA0467BB288E9B7A8E23AF9E084923127F13B777A94E995389FDAD54E5E |
SHA-512: | E3A023A8FB4454C4C1A4C499A863FAF8A063CAC8AC163FEDAA5D292FA81D238BBE8F33015BEF8DCB4FE0E4E2E8AF595F82463AB1A670757237828AA698AED1CA |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.254256478645708 |
TrID: |
|
File name: | 62835e34e60c1.dll |
File size: | 442368 |
MD5: | 5572213d17be7de71f36fa68eb6808a8 |
SHA1: | 5e8b27d57f6c9dc02cf2e30d47f8ed439f0fa20e |
SHA256: | f58f9c8e6a62223efa263da10850e188004471cb2be65264b7f91f27ebab0766 |
SHA512: | f015eb3c633c916227b19dc1e446d189ce8ebbb82cadf1c71d962e9d67d8d43defef437f0cb41974173e14c8fdc65808c74e4baacc723ecf0d4c87078566334d |
SSDEEP: | 6144:oE1iktxgcV9yjYJrTOkRLookGIw8OaDSOKdPmo6iJTk/DmpFkbakc+abuFGGGGGD:oE44xgcV9yjY1OkEGx/V72/DmSH6/ |
TLSH: | 3894E00965216A6EC9DC273DC9E5D31B1DA2B75CD23E70BE3CF43C9F7AE5125820428A |
File Content Preview: | MZ......................@...........................................................(.......0...w+!.W....]v...............4.....Y^........7.......x.........<.............A.............., ......,%.......{.......7.o.......O.....4.......5.......@.....Rich... |
Icon Hash: | 9068eccc64f6e2ad |
Entrypoint: | 0x4014d0 |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
DLL Characteristics: | TERMINAL_SERVER_AWARE |
Time Stamp: | 0x3EC34607 [Thu May 15 07:47:19 2003 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 0 |
File Version Major: | 5 |
File Version Minor: | 0 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 0 |
Import Hash: | a2b7486f7219709bc441af397fbc35ab |
Instruction |
---|
push ebp |
mov ebp, esp |
add ecx, FFFFFFFFh |
call 00007F6A68D094CAh |
pop eax |
pop eax |
mov dword ptr [0041461Ch], eax |
mov edx, dword ptr [00414738h] |
sub edx, 00005289h |
call edx |
mov eax, ebx |
mov dword ptr [00414618h], eax |
mov eax, esi |
mov dword ptr [00414610h], eax |
mov dword ptr [00414620h], ebp |
mov dword ptr [00414614h], edi |
add dword ptr [00414620h], 00000004h |
loop 00007F6A68D09477h |
mov dword ptr [ebp+00h], eax |
nop |
nop |
nop |
push esp |
push D72C767Ah |
jbe 00007F6A68D0951Fh |
xlatb |
rcl dword ptr [edi+2E46AAC6h], cl |
jle 00007F6A68D094F6h |
in al, dx |
mov eax, A897C0E8h |
pushfd |
xor al, D1h |
push esi |
shl dword ptr [edx+7D8B0393h], 4Fh |
int3 |
pop ss |
mov dh, 0Eh |
push es |
sub dword ptr [esi-0Ah], esp |
xchg dword ptr [esp+edi*2], ebp |
xor esi, dword ptr [esi] |
mov eax, 7DE0500Fh |
dec ebp |
sar eax, FFFFFFDEh |
mov byte ptr [379552ECh], al |
std |
test al, E7h |
sub al, A4h |
scasb |
add ebx, dword ptr [edx] |
pop es |
xchg eax, ebx |
dec edi |
int B4h |
cmpsd |
int 35h |
mov dh, BDh |
mov byte ptr [ebp-1BA85C92h], dl |
mov es, word ptr [esi+34867DB0h] |
out dx, al |
push ecx |
mov ebx, 7D4347D0h |
and al, B0h |
jbe 00007F6A68D09447h |
sti |
push ds |
push cs |
fpatan |
clc |
jl 00007F6A68D09510h |
xor ebp, dword ptr [edi] |
cmc |
fstsw word ptr [esp+ebx*2-12A5E66Ah] |
jp 00007F6A68D09497h |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xdd7c | 0x8c | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x62000 | 0x9f28 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x6c000 | 0xf40 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xd000 | 0xb8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xb8a0 | 0xc000 | False | 0.0812784830729 | data | 1.12155002117 | IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
.rdata | 0xd000 | 0x121f | 0x2000 | False | 0.187133789062 | data | 4.12151309824 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_MEM_READ |
.data | 0xf000 | 0x7ac0 | 0x6000 | False | 0.37646484375 | data | 6.00984449077 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_GPREL, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
.crt | 0x17000 | 0x1dcbd | 0x1e000 | False | 0.988419596354 | data | 7.98105173778 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.erloc | 0x35000 | 0x2ca3b | 0x2d000 | False | 0.988259548611 | data | 7.98162384749 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.rsrc | 0x62000 | 0x9f28 | 0xa000 | False | 0.602783203125 | data | 6.51663069246 | IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_TYPE_GROUP, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_READ |
.reloc | 0x6c000 | 0x1360 | 0x2000 | False | 0.223266601562 | data | 3.77920644751 | IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_NO_PAD, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_BITMAP | 0x62360 | 0x666 | data | English | United States |
RT_ICON | 0x629c8 | 0x485d | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | English | United States |
RT_ICON | 0x67228 | 0x25a8 | dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 331218944, next used block 4106092544 | English | United States |
RT_ICON | 0x697d0 | 0xea8 | data | English | United States |
RT_ICON | 0x6a678 | 0x8a8 | dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0 | English | United States |
RT_ICON | 0x6af20 | 0x568 | GLS_BINARY_LSB_FIRST | English | United States |
RT_DIALOG | 0x6b488 | 0xb4 | data | English | United States |
RT_DIALOG | 0x6b540 | 0x120 | data | English | United States |
RT_DIALOG | 0x6b660 | 0x158 | data | English | United States |
RT_DIALOG | 0x6b7b8 | 0x202 | data | English | United States |
RT_DIALOG | 0x6b9c0 | 0xf8 | data | English | United States |
RT_DIALOG | 0x6bab8 | 0xa0 | data | English | United States |
RT_DIALOG | 0x6bb58 | 0xee | data | English | United States |
RT_GROUP_ICON | 0x6bc48 | 0x4c | data | English | United States |
RT_VERSION | 0x6bc98 | 0x290 | MS Windows COFF PA-RISC object file | English | United States |
DLL | Import |
---|---|
USER32.dll | IsWindow, LockWorkStation, ExitWindowsEx, LoadCursorFromFileA, IsWindowEnabled, GetMessagePos, GetClassNameA, GetClientRect, GetUpdateRgn, GetWindowWord |
KERNEL32.dll | GlobalFree, GetCommState, LockFile, EnumResourceTypesA, GetProcAddress, GetVolumePathNamesForVolumeNameW, GetShortPathNameW, GlobalMemoryStatus, WriteProcessMemory, GlobalFlags, GetFileTime, GetThreadLocale, LocalHandle, GetBinaryTypeA, GetModuleFileNameA |
OLEAUT32.dll | LoadTypeLibEx |
msvcrt.dll | strcoll, strftime, strtod, strncmp, fgetwc |
GDI32.dll | GetCharWidthFloatA, GetTextMetricsW, GdiFlush, ExtEscape |
ADVAPI32.dll | RegGetValueA, EnumServicesStatusExW, FreeEncryptionCertificateHashList, GetUserNameW, GetSidSubAuthorityCount |
Description | Data |
---|---|
LegalCopyright | A Company. All rights reserved. |
InternalName | |
FileVersion | 1.0.0.0 |
CompanyName | A Company |
ProductName | |
ProductVersion | 1.0.0.0 |
FileDescription | |
OriginalFilename | myfile.exe |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
192.168.2.513.107.43.1649772802033203 05/17/22-10:46:47.467879 | TCP | 2033203 | ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) | 49772 | 80 | 192.168.2.5 | 13.107.43.16 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 17, 2022 10:58:37.038618088 CEST | 49764 | 80 | 192.168.2.6 | 185.189.151.28 |
May 17, 2022 10:58:40.089255095 CEST | 49764 | 80 | 192.168.2.6 | 185.189.151.28 |
May 17, 2022 10:58:46.105389118 CEST | 49764 | 80 | 192.168.2.6 | 185.189.151.28 |
May 17, 2022 11:00:18.231358051 CEST | 49808 | 80 | 192.168.2.6 | 185.189.151.70 |
May 17, 2022 11:00:21.342381001 CEST | 49808 | 80 | 192.168.2.6 | 185.189.151.70 |
May 17, 2022 11:00:27.342931986 CEST | 49808 | 80 | 192.168.2.6 | 185.189.151.70 |
Click to jump to process
Target ID: | 1 |
Start time: | 10:57:57 |
Start date: | 17/05/2022 |
Path: | C:\Windows\System32\loaddll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xb80000 |
File size: | 116736 bytes |
MD5 hash: | 7DEB5DB86C0AC789123DEC286286B938 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 2 |
Start time: | 10:57:57 |
Start date: | 17/05/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xed0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 10:57:58 |
Start date: | 17/05/2022 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10c0000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | high |
Target ID: | 6 |
Start time: | 10:58:02 |
Start date: | 17/05/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xff0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 9 |
Start time: | 10:58:15 |
Start date: | 17/05/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xff0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 14 |
Start time: | 10:58:25 |
Start date: | 17/05/2022 |
Path: | C:\Windows\SysWOW64\WerFault.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xff0000 |
File size: | 434592 bytes |
MD5 hash: | 9E2B8ACAD48ECCA55C0230D63623661B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |