Automated Malware Analysis IOC Report for

File Path

Type

Category

Malicious

pebbles.dat.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	6.9607693404023925
Filename:	pebbles.dat.dll
Filesize:	493056
MD5:	d89521adaf6418e6ebe43b1a1a9d2af9
SHA1:	38cac8495ef43e51cdac1cb5e85d10137b365bee
SHA256:	1965dc57456d4fc01b6ce0f242d80776fe08a16354e6177255cba618348355ac
SHA512:	703db1e11372070dbbabc8a96c8600f079273e4dfad4e5437a5fd4b046187cf9f24b47ad68fadaf3bcf7fb1dcad8ecf98edd299281938eb144c4c6c29d68461f
SSDEEP:	12288:Y2X+B4HKFVxT5jXAcOf35HI9H5RGqdIhr54f:L5EVl5DC4HDbd
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._.....~[..~[..~[..}Z..~[..{Z..~[..zZ..~[I.zZ..~[I.}Z..~[I.{ZX.~[...Z..~[...[o.~[..wZ..~[..~Z..~[...[..~[...[..~[..\|Z..~[Rich..~

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Machine Learning detection for sample	AV Detection
Uses 32bit PE files	Compliance, System Summary	Masquerading
PE file contains sections with non-standard names	Data Obfuscation
PE file does not import any functions	System Summary
PE file overlay found	System Summary	Screen Capture
Sample is known by Antivirus	System Summary
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

C:\Users\user\Desktop\pebbles.dat.dll

PE32 executable (DLL) (console) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Desktop\pebbles.dat.dll
Category:	dropped
Dump:	pebbles.dat.dll.9.dr
ID:	dr_0
Target ID:	9
Process:	C:\Windows\SysWOW64\wermgr.exe
Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Entropy:	4.667100449217363
Encrypted:	false
Ssdeep:	96:UORfeVXzt2Dk1dyqIF9JhsLwAOhf2ZW2wIPD:UORAjMkXIKPD
Size:	4096
Whitelisted:	false
Reputation:	timeout

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Execute DLL with spoofed extension	Data Obfuscation
Machine Learning detection for sample	AV Detection
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Drops PE files	Persistence and Installation Behavior
PE file contains sections with non-standard names	Data Obfuscation
Registers a DLL	Data Obfuscation	Regsvr32
Uses 32bit PE files	Compliance, System Summary
Runs a DLL by calling functions	System Summary	Rundll32
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
PE file contains a debug data directory	System Summary
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a mix of data directories often seen in goodware	System Summary

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\pebbles.dat.dll"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s C:\Users\user\Desktop\pebbles.dat.dll

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\pebbles.dat.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,DllUnregisterServer

C:\Windows\SysWOW64\wermgr.exe

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\user\Desktop\pebbles.dat.dll,bewailable

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

There are 1 hidden processes, click here to show them.