Edit tour

Windows Analysis Report
test2.dll

Overview

General Information

Sample Name:	test2.dll (renamed file extension from bin to dll, renamed because original name is a hash value)
Original Sample Name:	test2.bin
Analysis ID:	828211
MD5:	69a88f93c1ec9c8ecc66b7d19fb4a9aa
SHA1:	74dca80be03ab4dcc6bac81e794b6a02b56c4574
SHA256:	c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
Infos:

Detection

Ursnif

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Uses 32bit PE files

AV process strings found (often used to terminate AV products)

PE file does not import any functions

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 2952 cmdline: loaddll32.exe "C:\Users\user\Desktop\test2.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)

conhost.exe (PID: 488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 1292 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5092 cmdline: rundll32.exe "C:\Users\user\Desktop\test2.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 4136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Gozi, Ursnif	2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.	No Attribution	http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/ https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/ https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007 https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
test2.dll	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.loaddll32.exe.10000000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.10000000.0.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: test2.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: test2.dll

Virustotal: Detection: 39%

Perma Link

Machine Learning detection for sample

Source: test2.dll

Joe Sandbox ML: detected

Source: 0.2.loaddll32.exe.10000000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.2.rundll32.exe.10000000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2

Source: test2.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected Ursnif

Source: Yara match	File source: test2.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

E-Banking Fraud

Yara detected Ursnif

Source: Yara match	File source: test2.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Source: test2.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: test2.dll

Static PE information: No import functions for PE file found

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636

Source: test2.dll

Virustotal: Detection: 39%

Source: test2.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\test2.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5092
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:488:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp

Jump to behavior

Source: classification engine

Classification label: mal68.troj.winDLL@7/6@0/0

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075C079 push ebx; ret	3_2_0075C093
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076AC78 push eax; iretd	3_2_0076AC79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076A050 pushad ; ret	3_2_0076A12D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076D25D pushfd ; ret	3_2_0076D283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076BE4D pushad ; ret	3_2_0076BE59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076A832 push esp; ret	3_2_0076A833
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00769022 push ebp; ret	3_2_0076902B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007662E9 push ds; ret	3_2_00766363
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00768ED0 pushad ; ret	3_2_00768ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075EAAD push edx; retf	3_2_0075EB39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075EAA8 pushad ; retf	3_2_0075EAA9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076CE9D push cs; ret	3_2_0076CF13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075E975 push edi; ret	3_2_0075E98B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075CF72 push esi; ret	3_2_0075D023
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00766364 push es; ret	3_2_007663A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075A952 push esp; ret	3_2_0075A953
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075E95D push esp; ret	3_2_0075E973
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075E95A push ecx; ret	3_2_0075E95B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075C735 push es; ret	3_2_0075C75B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00769725 pushad ; ret	3_2_0076998B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075EB22 push edx; retf	3_2_0075EB39
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075AB10 push edi; ret	3_2_0075AB11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075A912 push eax; ret	3_2_0075A933
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075D91C push 800075D8h; iretd	3_2_0075D921
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075C700 push 200075C7h; retn 0075h	3_2_0075C70D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075EB0F push ecx; retf	3_2_0075EB21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_007663E2 push cs; ret	3_2_007663E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076CFDD push esi; ret	3_2_0076D053
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0075E7C0 push ds; ret	3_2_0075E7C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0076B1BE pushfd ; ret	3_2_0076B27B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00760BA5 push ecx; ret	3_2_00760BBB

Hooking and other Techniques for Hiding and Protection

Yara detected Ursnif

Source: Yara match	File source: test2.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\test2.dll",#1

Jump to behavior

Source: Amcache.hve.6.dr

Binary or memory string: c:\program files\windows defender\msmpeng.exe

Stealing of Sensitive Information

Yara detected Ursnif

Source: Yara match	File source: test2.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected Ursnif

Source: Yara match	File source: test2.dll, type: SAMPLE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	21 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
test2.dll	39%	Virustotal		Browse
test2.dll	100%	Avira	TR/Patched.Ren.Gen2
test2.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.loaddll32.exe.10000000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2		Download File
3.2.rundll32.exe.10000000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2		Download File

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.6.dr	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	828211
Start date and time:	2023-03-16 20:44:28 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	test2.dll (renamed file extension from bin to dll, renamed because original name is a hash value)
Original Sample Name:	test2.bin
Detection:	MAL
Classification:	mal68.troj.winDLL@7/6@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 56% (good quality ratio 34%) Quality average: 45.1% Quality standard deviation: 44%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Execution Graph export aborted for target loaddll32.exe, PID 2952 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 5092 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
20:45:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_10651bfd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8860700821239189
Encrypted:	false
SSDEEP:	192:QNBmits0oX4rHBUZMX4jed++/u7sES274ItWc:kmitqXMBUZMX4je7/u7sEX4ItWc
MD5:	1795313BF822B9781C244A77625986B8
SHA1:	9A5C528BA7BD41964E5CD18D03017E975E86E4E6
SHA-256:	983D059269F84ED3586526A9575ADB7577D090BF064D122CC910E95168548EAE
SHA-512:	042C0DBBD0F311E9651C4E870DCFA2060B493003A8692BA2410132AC4AE318B6B8FCA96AB2FA0C4DBE07E984DB92DE71C57AFCC566FE6B99289480C5A0D4A168
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.3.4.6.9.5.2.9.8.6.3.7.4.7.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.3.4.6.9.5.3.0.5.6.6.8.6.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.f.2.5.d.e.a.-.a.c.7.5.-.4.6.5.6.-.a.6.d.3.-.2.5.3.0.9.2.9.2.a.6.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.6.0.b.a.9.2.-.3.f.2.7.-.4.6.3.c.-.9.5.d.4.-.d.9.1.8.0.5.7.2.5.2.9.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.e.4.-.0.0.0.1.-.0.0.1.f.-.6.8.3.f.-.1.5.d.c.3.f.5.8.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 16 19:45:30 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	39564
Entropy (8bit):	2.265611159473901
Encrypted:	false
SSDEEP:	192:vcZURf/eOiO5SkbvQp3fj3cYreSEfKzYLpX:CJg5LbvoLHeSEt
MD5:	81B994F4CD490501D71F016B61A001B9
SHA1:	CE4E18EE2883D68810C62BF561169785E9B429C4
SHA-256:	2AD1FC0287B6CEE9A4F949CE586A13CACAB2AC88AB57172305BDFDD64F52954A
SHA-512:	33DC92F5A4FC1040D2B53B0E255FE1A540624841903A3A4C65C9985498F3B4F33A2AE2ACDC6F32D7801CD8EB4CC2DFC1B75057D35E40A9992975A74D49A0D672
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........q.d............d...........P...l...........P(..........T.......8...........T...........`...,............................................................................................U...........B......@.......GenuineIntelW...........T............q.d.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8246
Entropy (8bit):	3.6882927050241654
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiTP6d6YT36sgmfTkn4SPk+pr789bnRsfK5tm:RrlsNi76d6Yj6sgmfTk4SMnKfX
MD5:	BBE842E55E327ABE4996E5928BD473CC
SHA1:	2FA54FDA637C7E6E90D85454FF1F65EE20D03DB8
SHA-256:	62AF787BE4D963A2875DA51D52ABB6ECB268F96363A50A2F03409DC4BEB1F776
SHA-512:	8B4687AC9807CDC44F6CAA96FD0754977292D24E7F26DAABC21484E659C6813848289EDFB818CE7AB02D70E844315F59B082096A87981BD06A8CAAF6A624CD0C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.9.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31A.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.4525988805691625
Encrypted:	false
SSDEEP:	48:cvIwSD8zsbtJgtWI9ScWgc8sqYjb8fm8M4JCdsfF8Fj+q8/5v4SrSsd:uITfD5VgrsqYkJgN4DWsd
MD5:	C95847BD0C75AC6AE8E70026A8D7117E
SHA1:	103452E6144CE17F87F4D8FA55C3608005E10654
SHA-256:	BC60A4E6D410D437DE0551A75FDD83AD646C6D58A597E64AA909CAAA8169E57E
SHA-512:	92D08A2E38343AFAB82160C23E5A4BC4C94EC957D1C369762DCA329A5709ACD26CC17EA426DD5866DD51E26DF799D09FACB887391DD0F299AD9A476645942A18
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1955816" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.311503791177229
Encrypted:	false
SSDEEP:	12288:zrb8DJvNbVFR3fCZVR9bvMjOJghm1twJd7iN9241oYHQnN+wYq:vb8DJvNbVF5fCZ9RJp
MD5:	957A7D2F8DAD6A189D33DE8C2FD9D93F
SHA1:	E0A5F29F7053CD09A425EE5A86005107D4563D4E
SHA-256:	0DAC8BE968ACF0DBDC7316CDFB69075415468B74E3C104DCA38602D4C36E641F
SHA-512:	3D284CD9D0AC1DE234F6F7F2C0DE6DFE97421B11904BE3448C926868F4DBB60DC5D7497D350C4A24D883DEC590C8136492B70B27229886EDC5C2154BED10E35B
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..k.?X................................................................................................................................................................................................................................................................................................................................................b.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.9437805244171296
Encrypted:	false
SSDEEP:	384:eDv5K5JjaM1gnVVeeDze61NKZtjCexFa1jsoSwXlhaai/qfv/DWwsfWebNZpu7:ORK3g/eeDzeUNYtjDHaRsoSwzaai/qfZ
MD5:	43CAD0C0D41DF871C98422640C954C4B
SHA1:	0058D81C4E5FAA71B741854513B3B9262A60AD7A
SHA-256:	99E83DBB54635A62034B89B02D743886025CAE14995EA18F87CCB6733531FCAA
SHA-512:	AAD66AAF51068411EE742684522166EAA37D05B89C852FFA8DDEE942EC8E0BDEAFDB96106EF6CA1DBCAA32F500F0BDE6DED6CBD57646471AA2A34F62524AE4B0
Malicious:	false
Preview:	regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..k.?X................................................................................................................................................................................................................................................................................................................................................b.HvLE.^......P.... ......_...&...s>+.$..X............................. ..hbin................p.\..,..........nk,..xm.?X.................................. ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..xm.?X...... ........................... .......Z.......................Root........lf......Root....nk ..xm.?X.................................. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7778692211855445
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	test2.dll
File size:	57344
MD5:	69a88f93c1ec9c8ecc66b7d19fb4a9aa
SHA1:	74dca80be03ab4dcc6bac81e794b6a02b56c4574
SHA256:	c825d867fb0bf1ba55b89f4bb1c6db13020792ceb175e84fac5f72cfa161726f
SHA512:	8ff818fa0e88774c7047f7c1b626931f2119fd00cc51bc5381b2466b3d9aec6edfd6abd7cd16b452f725937ee825e275d239f55aaddff027f56359d85aae0725
SSDEEP:	768:bZUYZZtva+c+wdCAXNnZ98baBXe13jtCs8sNaHXsSsGtj+WNAMTauI:TZACuCCZKt1z98scH8ucWBOP
TLSH:	AB43E195A62D04DACB63C1733B36937EC6FEC21975082CCAD0166A6E5EBA552D03D243
File Content Preview:	MZ.f.:..................@...............................................!..L.!This program cannot be run in DOS mode....$........V...7...7...7.......7...O...7...7...7..;8...7..;8...7..;8...7.......7.......7.......7..Rich.7..................PE..L....T.b...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x10001d4b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:
Time Stamp:	0x629654C0 [Tue May 31 17:47:44 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
in al, dx
and ecx, 00000FFFh
add ecx, esi
add dword ptr [ecx], ebx
mov ebx, dword ptr [ebp-08h]
inc ebx
inc ebx
dec dword ptr [ebp-0Ch]
mov dword ptr [ebp-08h], ebx
jne 00007F37D092FB03h
mov ecx, dword ptr [edi+04h]
sub dword ptr [ebp-04h], ecx
add edi, ecx
cmp dword ptr [ebp-04h], 08h
jnbe 00007F37D092FACEh
pop edi
pop esi
pop ebx
leave
retn 0004h
cmp dword ptr [esp+08h], 00000000h
je 00007F37D092FB58h
mov ecx, dword ptr [eax+0Ch]
mov edx, ecx
sub edx, dword ptr [esp+04h]
mov dl, byte ptr [edx]
mov byte ptr [ecx], dl
inc dword ptr [eax+0Ch]
dec dword ptr [esp+08h]
jne 00007F37D092FB2Ch
ret
push ebp
mov ebp, esp
sub esp, 30h
push ebx
push esi
push edi
mov esi, eax
xor eax, eax
lea edi, dword ptr [ebp-28h]
stosd
stosd
stosd
stosd
stosd
xor ebx, ebx
xor eax, eax
push ebx
push 08000000h
push dword ptr [esi+08h]
lea edi, dword ptr [ebp-10h]
stosd
mov eax, dword ptr [esi+04h]
mov dword ptr [ebp-14h], eax
lea eax, dword ptr [ebp-14h]
push eax
lea eax, dword ptr [ebp-2Ch]
push eax
push 000F001Fh
lea eax, dword ptr [ebp-0Ch]
push eax
mov dword ptr [ebp-0Ch], ebx
mov dword ptr [ebp-08h], ebx
mov dword ptr [ebp-2Ch], 00000018h
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-20h], 00000040h
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-18h], ebx
call dword ptr [esi+0Ch]
cmp eax, ebx
jl 00007F37D092FB77h
mov eax, dword ptr [ebp-0Ch]
mov dword ptr [esi], eax
lea eax, dword ptr [ebp-08h]
push eax
call 00007F37D09305EDh
mov edi, eax
cmp edi, ebx
jne 00007F37D092FB5Bh
push dword ptr [ebp-14h]
push ebx

Rich Headers

Programming Language:

[ASM] VS2005 build 50727
[IMP] VS2008 SP1 build 30729
[EXP] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x35f0	0x4f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x312c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6000	0x154	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3000	0xcc	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1797	0x1800	False	0.3787434895833333	data	4.031216120437235	IMAGE_SCN_CNT_CODE, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_REMOVE, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3000	0x63f	0x800	False	0.7646484375	data	6.43669157518164	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ
.data	0x4000	0x24c	0x200	False	0.875	data	5.8293315768111045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_LNK_OVER, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_MEM_PRELOAD, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x5000	0x26c	0x400	False	0.3603515625	data	3.1797275657461412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OVER, IMAGE_SCN_LNK_COMDAT, IMAGE_SCN_MEM_PROTECTED, IMAGE_SCN_NO_DEFER_SPEC_EXC, IMAGE_SCN_MEM_SYSHEAP, IMAGE_SCN_MEM_PURGEABLE, IMAGE_SCN_MEM_16BIT, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x6000	0x8000	0x7200	False	0.5503700657894737	data	5.31387674469581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_OTHER, IMAGE_SCN_LNK_OVER, IMAGE_SCN_GPREL, IMAGE_SCN_MEM_FARDATA, IMAGE_SCN_MEM_LOCKED, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_128BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_MEM_READ

Target ID:	0
Start time:	20:45:28
Start date:	16/03/2023
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\test2.dll"
Imagebase:	0x390000
File size:	116736 bytes
MD5 hash:	1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	1
Start time:	20:45:28
Start date:	16/03/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c72c0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	20:45:28
Start date:	16/03/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	3
Start time:	20:45:28
Start date:	16/03/2023
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\test2.dll",#1
Imagebase:	0xc20000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	20:45:28
Start date:	16/03/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 636
Imagebase:	0x1040000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report test2.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_7bde5861e98b2ac3cc37e329f3101f62f0fff922_82810a17_10651bfd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF153.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2AC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31A.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
test2.dll