Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WinSockClientVault.dll

Overview

General Information

Sample Name:WinSockClientVault.dll
Analysis ID:831173
MD5:e17bfe7da3ea0adcf634826f3d5ca1eb
SHA1:b337eae3d506f22bc681b46f0177f239a9ebf0c9
SHA256:db9e433dd3f0cf8150a8a61f46e49a6480e373eb09dc68b477f21ea934058e6b
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6004 cmdline: loaddll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll" MD5: 1F562FBF37040EC6C43C8D5EF619EA39)
    • conhost.exe (PID: 6088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6116 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6100 cmdline: rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: WinSockClientVault.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: G:\DEV\U4_Git\PAM_U4_Base\ArconPAMNextGen\ARCON_ASM\WinSockClientVault\obj\Release\WinSockClientVault.pdb source: WinSockClientVault.dll
Source: Binary string: G:\DEV\U4_Git\PAM_U4_Base\ArconPAMNextGen\ARCON_ASM\WinSockClientVault\obj\Release\WinSockClientVault.pdbl< source: WinSockClientVault.dll
Source: WinSockClientVault.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WinSockClientVault.dllStatic file information: TRID: Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
Source: classification engineClassification label: clean1.winDLL@6/0@0/0
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1Jump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6088:120:WilError_01
Source: WinSockClientVault.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: WinSockClientVault.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: WinSockClientVault.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: G:\DEV\U4_Git\PAM_U4_Base\ArconPAMNextGen\ARCON_ASM\WinSockClientVault\obj\Release\WinSockClientVault.pdb source: WinSockClientVault.dll
Source: Binary string: G:\DEV\U4_Git\PAM_U4_Base\ArconPAMNextGen\ARCON_ASM\WinSockClientVault\obj\Release\WinSockClientVault.pdbl< source: WinSockClientVault.dll
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1Jump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath Interception11
Process Injection		1
Rundll32		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Virtualization/Sandbox Evasion		LSASS Memory1
System Information Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 831173 Sample: WinSockClientVault.dll Startdate: 21/03/2023 Architecture: WINDOWS Score: 1 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 conhost.exe 6->10         started        process4 12 rundll32.exe 8->12         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
WinSockClientVault.dll0%ReversingLabs
WinSockClientVault.dll1%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:37.0.0 Beryl
Analysis ID:831173
Start date and time:2023-03-21 07:59:06 +01:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 2m 18s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample file name:WinSockClientVault.dll
Detection:CLEAN
Classification:clean1.winDLL@6/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated

Warnings

  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

TimeTypeDescription
07:59:59API Interceptor1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):4.781445197251568
TrID:
  • Win32 Dynamic Link Library (generic) Net Framework (1011504/3) 50.14%
  • Win32 Dynamic Link Library (generic) (1002004/3) 49.67%
  • Generic Win/DOS Executable (2004/3) 0.10%
  • DOS Executable Generic (2002/1) 0.10%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:WinSockClientVault.dll
File size:9728
MD5:e17bfe7da3ea0adcf634826f3d5ca1eb
SHA1:b337eae3d506f22bc681b46f0177f239a9ebf0c9
SHA256:db9e433dd3f0cf8150a8a61f46e49a6480e373eb09dc68b477f21ea934058e6b
SHA512:1d2db377af67ca0891f5970306bd1eec397db06d4336f73b138044d63755cad14873880e5f8094cd9c5c2e597b7dba5357768551c56552c6a4802ef16d5151e9
SSDEEP:192:oYcZsugKcP+AW+Y78RlMuhqTvpJaqi9yhPHD5h:E1O+AW+Y7UyuhqTvxi9yx9h
TLSH:9412E702CFE8A52ADABF1B38ACB3570145F1F62949A3D71E185C64AC7C3676C4A72731
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...i..d.........." ..0..............<... ...@....... ....................................`................................

File Icon

Icon Hash:74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:0x10003c96
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x10000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:0x64141669 [Fri Mar 17 07:27:37 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:dae02f32a21e03ce65412f6e56942daa

Entrypoint Preview

Instruction
jmp dword ptr [10002000h]
dec ecx
jbe 00007FCB84DF7673h
outsb
and byte ptr [ebp+65h], cl
jbe 00007FCB84DF7678h
jbe 00007FCB84DF7614h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x3c440x4f.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x40000x3c8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x60000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x3b0c0x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x1cac0x1e00False0.44609375data5.2595806085918575IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc0x40000x3c80x400False0.3720703125data3.0013843866325085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x60000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x40580x36cdata

Imports

DLLImport
mscoree.dll_CorDllMain

Network Behavior

Report size exceeds maximum size, go to the download page of this report and download PCAP to see all network behavior.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:07:59:59
Start date:21/03/2023
Path:C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):true
Commandline:loaddll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll"
Imagebase:0x1360000
File size:116736 bytes
MD5 hash:1F562FBF37040EC6C43C8D5EF619EA39
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:1
Start time:07:59:59
Start date:21/03/2023
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff745070000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:2
Start time:07:59:59
Start date:21/03/2023
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Imagebase:0xb0000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

General

Target ID:3
Start time:07:59:59
Start date:21/03/2023
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Imagebase:0x1110000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

No disassembly