Automated Malware Analysis IOC Report for

Processes

Path

Cmdline

Malicious

C:\Windows\System32\loaddll32.exe

loaddll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll"

Details

Is windows:	true
Is dropped:	false
PID:	6004
Target ID:	0
Parent PID:	3452
Name:	loaddll32.exe
Path:	C:\Windows\System32\loaddll32.exe
Commandline:	loaddll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll"
Size:	116736
MD5:	1F562FBF37040EC6C43C8D5EF619EA39
Time:	07:59:59
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1360000
Modulesize:	135168
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6088
Target ID:	1
Parent PID:	6004
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	625664
MD5:	EA777DEEA782E8B4D7C7C33BBF8A4496
Time:	07:59:59
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff745070000
Modulesize:	651264
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6116
Target ID:	2
Parent PID:	6004
Name:	cmd.exe
Class:	cmd
Path:	C:\Windows\SysWOW64\cmd.exe
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Size:	232960
MD5:	F3BDBE3BB6F734E357235F4D5898582D
Time:	07:59:59
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb0000
Modulesize:	364544
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1

Details

Is windows:	true
Is dropped:	false
PID:	6100
Target ID:	3
Parent PID:	6116
Name:	rundll32.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\rundll32.exe
Commandline:	rundll32.exe "C:\Users\user\Desktop\WinSockClientVault.dll",#1
Size:	61952
MD5:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Time:	07:59:59
Date:	21/03/2023
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1110000
Modulesize:	81920
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Runs a DLL by calling functions	System Summary	Rundll32
Spawns processes	System Summary	Process Injection

Memdumps

Base Address

Regiontype

Protect

Malicious

240000

heap

page read and write

6690000

trusted library allocation

page read and write

ED0000

heap

page read and write

75E000

stack

page read and write

35E0000

heap

page read and write

330A000

heap

page read and write

9AE000

stack

page read and write

35EA000

heap

page read and write

B8B000

stack

page read and write

EAE000

stack

page read and write

BCB000

stack

page read and write

3349000

heap

page read and write

332D000

heap

page read and write

3300000

heap

page read and write

BD0000

heap

page read and write

34BF000

stack

page read and write

3AD000

stack

page read and write

3570000

heap

page read and write

3335000

heap

page read and write

332E000

heap

page read and write

347E000

stack

page read and write

10E0000

heap

page read and write

3349000

heap

page read and write

3329000

heap

page read and write

332D000

heap

page read and write

343F000

stack

page read and write

700000

heap

page read and write

77B000

heap

page read and write

3335000

heap

page read and write

3335000

heap

page read and write

3336000

heap

page read and write

3325000

heap

page read and write

32FE000

stack

page read and write

3325000

heap

page read and write

10F0000

heap

page read and write

AAF000

stack

page read and write

96F000

stack

page read and write

770000

heap

page read and write

3F0000

heap

page read and write

332D000

heap

page read and write

FEF000

stack

page read and write

3331000

heap

page read and write

332D000

heap

page read and write

B20000

heap

page read and write

3337000

heap

page read and write

2AD000

stack

page read and write

3335000

heap

page read and write

332A000

heap

page read and write

E30000

heap

page read and write

3574000

heap

page read and write

35E7000

heap

page read and write

There are 41 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
WinSockClientVault.dll

Processes

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportWinSockClientVault.dll

Processes

Memdumps

IOC Report
WinSockClientVault.dll