Edit tour

Windows Analysis Report
3498_ED6E000.dll

Overview

General Information

Sample Name:	3498_ED6E000.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	3498_ED6E000.exe
Analysis ID:	1311214
MD5:	7ad3c652b3d9c376438348ca19a3b1bc
SHA1:	3854e9f15364345236d48d5337d98a965147cda7
SHA256:	9afba1d0820dfeb450239652b8c88f8ae88887b81e0209a996b7af0cc520fbad
Infos:

Detection

Mimikatz

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Hacktool Mimikatz

May use bcdedit to modify the Windows boot settings

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Tries to load missing DLLs

PE file contains sections with non-standard names

Binary contains a suspicious time stamp

Sample execution stops while process was sleeping (likely an evasion)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 6240 cmdline: loaddll64.exe "C:\Users\user\Desktop\3498_ED6E000.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cmd.exe (PID: 6276 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 6288 cmdline: rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
MimiKatz	Varonis summarizes Mimikatz as an open-source application that allows users to view and save authentication credentials like Kerberos tickets. Benjamin Delpy continues to lead Mimikatz developments, so the toolset works with the current release of Windows and includes the most up-to-date attacks.Attackers commonly use Mimikatz to steal credentials and escalate privileges: in most cases, endpoint protection software and anti-virus systems will detect and delete it. Conversely, pentesters use Mimikatz to detect and exploit vulnerabilities in your networks so you can fix them.	APT32 Anunak GALLIUM	http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle http://www.secureworks.com/research/threat-profiles/gold-burlap http://www.secureworks.com/research/threat-profiles/gold-drake http://www.secureworks.com/research/threat-profiles/gold-franklin http://www.secureworks.com/research/threat-profiles/gold-kingswood	https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz

String found in binary or memory: http://www.slg.cl/upload043.zip{ENTER}Blheam.A Brasil by mlkart .. VX BrasilAutomessage : download the new MSN update here!c:\windows\system32\winktsisx.exeI just got back from holiday - http://www.projectpony.net/girls.scr~{ESC}Get 300 buddy icons compatible with AIM, Yahoo IM and MSN IM!http://www.ffasite.com/x.exe!#HSTR:CrumCrypterHstrlogic equals www.yahoo.com (Yahoo)

Source: 3498_ED6E000.dll	String found in binary or memory: http://auth.alipay.com/http://auth.alipay.com/login/index.htm/http://buyer.trade.taobao.com/trade/pa
Source: 3498_ED6E000.dll	String found in binary or memory: http://www.ffasite.com/x.exe
Source: 3498_ED6E000.dll	String found in binary or memory: http://www.projectpony.net/girls.scr~
Source: 3498_ED6E000.dll	String found in binary or memory: http://www.slg.cl/upload043.zip
Source: 3498_ED6E000.dll	String found in binary or memory: https://usea1-areteadvisors.sentinelone.net

Source: 3498_ED6E000.dll

Static PE information: No import functions for PE file found

Source: 3498_ED6E000.dll

Binary or memory string: OriginalFilenamePCPKsp.dllj% vs 3498_ED6E000.dll

Source: C:\Windows\System32\loaddll64.exe

Section loaded: 3498_ed6e000.dll

Jump to behavior

Source: 3498_ED6E000.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\3498_ED6E000.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_01

Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\ws2_32.dlll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.30704.0_x64__8wekyb3d8bbwe\MSVCP140_1.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_508ff82ebcbafee0\msvcp90.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\UXInit.dlldllp
Source: 3498_ED6E000.dll	Binary string: 4\Device\HarddiskVolume3\Windows\System32\perfTMP.dat
Source: 3498_ED6E000.dll	Binary string: +3\Device\HarddiskVolume3\Windows\SysWOW64\oledlg.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_508ff82ebcbafee0\msvcm90.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_pl.js
Source: 3498_ED6E000.dll	Binary string: :\Device\HarddiskVolume3\Empower\Instr$
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Control.dll
Source: 3498_ED6E000.dll	Binary string: 7\Device\HarddiskVolume3\Windows\System32\TaskSchdPS.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Instr$
Source: 3498_ED6E000.dll	Binary string: D\Device\HarddiskVolume3\Windows\System32\CapabilityAccessManager.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\flashchart\anychart_6\swf\maps\usa\regions\states\northeast.amap
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_pt.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_ro.js
Source: 3498_ED6E000.dll	Binary string: J\Device\HarddiskVolume3\Windows\System32\Windows.StateRepositoryClient.dll
Source: 3498_ED6E000.dll	Binary string: +R\Device\HarddiskVolume3\Windows\assembly\GAC_MSIL\Waters.WFMA.ConsoleFMA.resources
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_sk.js
Source: 3498_ED6E000.dll	Binary string: +R\Device\HarddiskVolume3\Windows\assembly\GAC_MSIL\Waters.WFMA.EmpowerFMA.resources
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Settings.Editor.dll
Source: 3498_ED6E000.dll	Binary string: p\Device\HarddiskVolume3\Windows\System32\tasks\Microsoft\Windows\Work Folders\Work Folders Logon Synchronization
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Diagnosis\DownloadedSettings\utc.app.json
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\UXInit.dll
Source: 3498_ED6E000.dll	Binary string: 5\Device\HarddiskVolume3\Windows\System32\rundll32.exe
Source: 3498_ED6E000.dll	Binary string: .:\Device\Ha8
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_nl.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files (x86)\Waters\ICSp
Source: 3498_ED6E000.dll	Binary string: +D\Device\HarddiskVolume3\Empower\Instruments\Bin\AcquityISMCommon.dll
Source: 3498_ED6E000.dll	Binary string: \device\asrdrv\dosdevices\asrdrv\device\asusgio\dosdevices\asusgio\device\asupdateio\dosdevices\asupdateio\device\glckio\dosdevices\glckio\device\gio\dosdevices\gio\device\gvcidrv\dosdevices\gvcidrv\device\msio\dosdevices\msio\device\ntiolib\dosdevices\ntiolib\device\semav6msr\dosdevices\semav6msr\device\{f0e8ccf6-5232-4b6f-a159-3b612b77a43f}\dosdevices\{f0e8ccf6-5232-4b6f-a159-3b612b77a43f}\device\atikia\dosdevices\atikia\device\atillk\dosdevices\atillk\device\bs_hwmio\dosdevices\bs_hwmio\device\bs_i2cio\dosdevices\bs_i2cio\device\bsmem\dosdevices\bsmem\device\bsmi\??\bsmi\device\wnbios\dosdevices\wnbios\device\hwos2ecdev\dosdevices\hwos2ec\device\mtc0303\dosdevices\mtc0303\device\nchgbios\dosdevices\nchgbios\device\genericdrv\??\genericdrv\device\bs_flash\dosdevices\bs_flash\device\nvflash\dosdevices\nvflash\device\winphlash\dosdevices\winphlash\device\phymem\dosdevices\phymem\device\piddrv\dosdevices\piddrv\device\pmxdrv\dosdevices\pmxdrv\device\ucorew\??\ucorew\device\winflash\dosdevices\winflash\device\rtkio\dosdevices\rtkio\device\superbmc0\dosdevices\superbmc\device\winring0\dosdevices\winring0d:\svn\cheat engine\bin\dbk64.pdbh
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files (xomtmall.comlist.tmall.comtmall.comneiyi.tmall.comtmall.comshouji.tmall.comtmall.comwww.tmall.com!#EsrpVulDrv
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\System32\dusmsvc.dll
Source: 3498_ED6E000.dll	Binary string: +s\Device\HarddiskVolume3\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_508ff82ebcbafee0
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.UI.Xaml.2.7_7.2203.17001.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\oracore\zoneinfo\timezone_16.dat
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db-shm
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\librarRCRD(
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.P-ARIA-5476d0c4a7a347909c4b8a13078d4390-f8bdcecf-243f-40f8-b7c3-b9c44a57dead-7230.json
Source: 3498_ED6E000.dll	Binary string: 4\Device\HarddiskVolume3\Windows\System32\svchost.exe
Source: 3498_ED6E000.dll	Binary string: \device\tmcomm\dosdevices\tmcomm!#HSTR:DelfCPLException
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\amd64_microsoft-windows-a..ence-mitigations-c8_31bf3856ad36
Source: 3498_ED6E000.dll	Binary string: ;\Device\HarddiskVolume3\Empower\Instr$
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\nls\kok\localeElements.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9635_none_508ff82ebcbafee0\msvcr90.dll
Source: 3498_ED6E000.dll	Binary string: +E\Device\HarddiskVolume3\Empower\Instruments\Bin\AcquityISMEditMgr.ocx
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\security\EDP\Logsdll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\WinSxS\amd64_microsoft-windows-a..ence-mitigations-c8_31bf3856ad364e35_10.0.22621.457_none_6e3a8cbbbb69623c
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_ru.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program FilFILE0
Source: 3498_ED6E000.dll	Binary string: M\Device\HarddiskVolume3\Windows\System32\tasks\Microsoft\Windows\Work Folders
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\nls\kok\timezoneData.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.30704.0_x64__8wekyb3d8bbwe\msvcp140_1.dll
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db-wal
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\nls\ks\localeElements.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\flashchart\anychart_6\swf\maps\south_america\french_guiana.amap
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\nls\ko-KR\timezoneData.js
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Windows\SysWOW64\twinapi.appcore.dlldll4te
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\libraries\oraclejet\4.2.0\js\libs\oj\v4.2.0\resources\internal-deps\dvt\thematicMap\basemaps\resourceBundles\UsaCountiesBundle_pt_BR.js
Source: 3498_ED6E000.dll	Binary string: =\Device\HarddiskVolume3\Windows\System32\WorkFoldersShell.dll
Source: 3498_ED6E000.dll	Binary string: /\Device\HarddiskVolume3\Windows\System32\sc.exe
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Empower\Oracle\Oracle18c\apex\images\librarRCRD(
Source: 3498_ED6E000.dll	Binary string: \Device\HarddiskVolume3\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.12.10983.0_x64__8wekyb3d8bbwe\Microsoft.Terminal.Control.dll$

Source: classification engine

Classification label: mal48.expl.winDLL@6/0@0/0

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: 3498_ED6E000.dll

Static file information: File size 1241088 > 1048576

Source: 3498_ED6E000.dll

Static PE information: Image base 0x7ffd34410000 > 0x60000000

Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3498_ED6E000.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3498_ED6E000.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF

Source: 3498_ED6E000.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: pd.pdb source: 3498_ED6E000.dll
Source:	Binary string: mddo.pdb source: 3498_ED6E000.dll
Source:	Binary string: WindowsPerformanceRecorderControl.pdbGCTL source: 3498_ED6E000.dll
Source:	Binary string: night41 pd.pdbuner-th-hoodod.pdbodd.pdbmddo.pdb nidaght Nacht Bruder Schwester big-o-biddib-0-gibbid+8+dibver^x^revper#v#rep arbei arbeimacht freiHimmel fallennicht langespielen Spiegelund Haarenden Hundder Weltden Kriegder Feuerwehrmann mitw source: 3498_ED6E000.dll
Source:	Binary string: od.pdb source: 3498_ED6E000.dll
Source:	Binary string: \kevlar-api\kevlarsigs64\x64\release\hiphandlers64.pdbDetector.UnitTests.DetectionBenchmarkUtilities.CaseDetectorObservationsnslocollectorservice.pdb\microsoft.cyber.observationdetectors.pdb!#HSTR:Crossrider_AppName source: 3498_ED6E000.dll
Source:	Binary string: WindowsPerformanceRecorderControl.pdb source: 3498_ED6E000.dll
Source:	Binary string: chter Noch deutlicherBlockade derdie Regierungnicht mehrDer Wehretatzwischen NeueTage langBanken undnicht genugamerikanischer Traumrbindungen Nun setzenReise mitund derIm DezemberSonntag habenschon heutewar derund weiterewerden fastsorgt ohnehinscheint beendetund solltesollen dienennt dieStummfilm untereinen Kurswechseldann nur,italienische Stadtdbg0sym3.p2d3b4d8b6g1sym.b0d3p1wnnhgvzr.6rey9v52d2.ozegz4lnb1.rlvdsuchte AusfluchtTsunamis EisbergedecraapifierAof overaillhu9krtt7ntu.trku2y57j70zycvp5b.4grencuva.pdbqsylemyg.hips5660yrvq.4xizvrwvuglt.ppj19CwfSrCcEU.npfmasnter.pdb source: 3498_ED6E000.dll
Source:	Binary string: d:\svn\cheat engine\bin\dbk64.pdbh source: 3498_ED6E000.dll
Source:	Binary string: \device\asrdrv\dosdevices\asrdrv\device\asusgio\dosdevices\asusgio\device\asupdateio\dosdevices\asupdateio\device\glckio\dosdevices\glckio\device\gio\dosdevices\gio\device\gvcidrv\dosdevices\gvcidrv\device\msio\dosdevices\msio\device\ntiolib\dosdevices\ntiolib\device\semav6msr\dosdevices\semav6msr\device\{f0e8ccf6-5232-4b6f-a159-3b612b77a43f}\dosdevices\{f0e8ccf6-5232-4b6f-a159-3b612b77a43f}\device\atikia\dosdevices\atikia\device\atillk\dosdevices\atillk\device\bs_hwmio\dosdevices\bs_hwmio\device\bs_i2cio\dosdevices\bs_i2cio\device\bsmem\dosdevices\bsmem\device\bsmi\??\bsmi\device\wnbios\dosdevices\wnbios\device\hwos2ecdev\dosdevices\hwos2ec\device\mtc0303\dosdevices\mtc0303\device\nchgbios\dosdevices\nchgbios\device\genericdrv\??\genericdrv\device\bs_flash\dosdevices\bs_flash\device\nvflash\dosdevices\nvflash\device\winphlash\dosdevices\winphlash\device\phymem\dosdevices\phymem\device\piddrv\dosdevices\piddrv\device\pmxdrv\dosdevices\pmxdrv\device\ucorew\??\ucorew\device\winflash\dosdevices\winflash\device\rtkio\dosdevices\rtkio\device\superbmc0\dosdevices\superbmc\device\winring0\dosdevices\winring0d:\svn\cheat engine\bin\dbk64.pdbh source: 3498_ED6E000.dll
Source:	Binary string: odd.pdb source: 3498_ED6E000.dll

Source: 3498_ED6E000.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3498_ED6E000.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3498_ED6E000.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3498_ED6E000.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3498_ED6E000.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 3498_ED6E000.dll

Static PE information: real checksum: 0x141d4e should be: 0x1384fe

Source: 3498_ED6E000.dll

Static PE information: section name: .didat

Source: 3498_ED6E000.dll

Static PE information: 0x6F85A196 [Mon Apr 16 10:10:30 2029 UTC]

Source: 3498_ED6E000.dll

Binary or memory string: c:\windows\system32\bcdedit.exe

Source: C:\Windows\System32\rundll32.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	1 Bootkit	11 Process Injection	1 Bootkit	1 OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Timestomp	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version

Source	Detection	Scanner	Label
http://www.slg.cl/upload043.zip	0%	Avira URL Cloud	safe
http://www.ffasite.com/x.exe	0%	Avira URL Cloud	safe
http://www.projectpony.net/girls.scr~	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.projectpony.net/girls.scr~	3498_ED6E000.dll	false	Avira URL Cloud: safe	unknown
http://auth.alipay.com/http://auth.alipay.com/login/index.htm/http://buyer.trade.taobao.com/trade/pa	3498_ED6E000.dll	false		high
http://www.slg.cl/upload043.zip	3498_ED6E000.dll	false	Avira URL Cloud: safe	unknown
http://www.ffasite.com/x.exe	3498_ED6E000.dll	false	Avira URL Cloud: safe	unknown
https://usea1-areteadvisors.sentinelone.net	3498_ED6E000.dll	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1311214
Start date and time:	2023-09-20 01:32:31 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	3498_ED6E000.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	3498_ED6E000.exe
Detection:	MAL
Classification:	mal48.expl.winDLL@6/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 8.252.70.126, 8.253.132.121, 8.252.64.126, 8.253.131.121, 8.253.45.248, 8.252.81.126, 8.248.153.254, 67.26.243.254, 8.253.139.120
Excluded domains from analysis (whitelisted): kv601.prod.do.dsp.mp.microsoft.com, www.bing.com, geover.prod.do.dsp.mp.microsoft.com, client.wns.windows.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 3498_ED6E000.dll

File type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):	5.215171386188204
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	3498_ED6E000.dll
File size:	1'241'088 bytes
MD5:	7ad3c652b3d9c376438348ca19a3b1bc
SHA1:	3854e9f15364345236d48d5337d98a965147cda7
SHA256:	9afba1d0820dfeb450239652b8c88f8ae88887b81e0209a996b7af0cc520fbad
SHA512:	9bfb6602a50813dffb8f4e82d7fafeff1a44150a8ef6270e0de21cda86b666ce42a02e55c698b7ded2591a47018040b643c1bc45d217206ad68221ef22d1f2b5
SSDEEP:	12288:7coxlTHS3FPRikbxJSFfLeRZSDkcVw5YUhNNfYqUIjMQBwABU9Ub+MAa:ooxFS3FP8krIeRwzVYNfrUIoQVaC3
TLSH:	F145070667E45378D175897084F60772ABB2F8984B788BDB0255F2381D33BD85EF2B29
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.".#.LH#.LH#.LH..OI .LH..H..LHh.HI.LHh.OI'.LHh.II:.LH#.MH..LHh.MI&.LHh.LI".LHh.AI..LHh..H".LHh..H".LHh.NI".LHRich#.LH.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x7ffd3444c7e0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x7ffd34410000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF
Time Stamp:	0x6F85A196 [Mon Apr 16 10:10:30 2029 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	10
OS Version Minor:	0
File Version Major:	10
File Version Minor:	0
Subsystem Version Major:	10
Subsystem Version Minor:	0
Import Hash:

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov eax, dword ptr [FD451CB1h]
jnle 00007F823CED1202h
add byte ptr [eax-0D418371h], dl
add dword ptr [eax], eax
add byte ptr [eax-47h], bl
iretd
ret
mov word ptr [eax], es
add byte ptr [eax], al
rcr byte ptr [ecx+008CC3CEh], 00000000h
add byte ptr [eax-733C3105h], bh
add byte ptr [eax], al
add byte ptr [eax-733C3166h], ch
add byte ptr [eax], al
add byte ptr [edx+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [edx+008CC3CEh], bl
add byte ptr [eax], al
pushad
add dword ptr [ecx+007FFD1Dh], ebx
add byte ptr [eax], al
add byte ptr [edi+0001F2C2h], bl
add bh, bh

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x11d8f0	0x9c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11d98c	0x26c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12b000	0x570	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x122000	0x7074	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x12e000	0x5048
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12c000	0x22a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xfae78	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xeb980	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf0220	0x598	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x11cd5c	0x1a0	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe4c49	0xe5000	False	0.33191077886189957	data	5.327071453663947	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xe6000	0x391c0	0x3a000	False	0.33744864628232757	data	4.947042803685217	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x120000	0x1014	0x1000	False	0.054443359375	data	0.5874520761962675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x122000	0x7074	0x8000	False	0.293304443359375	data	3.9520595629415687	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x12a000	0x248	0x1000	False	0.250732421875	data	2.8018893257938258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x12b000	0x570	0x1000	False	0.18359375	data	4.822421311835653	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12c000	0x22a0	0x3000	False	0.3423665364583333	data	5.258717794502767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

• loaddll64.exe
• conhost.exe
• cmd.exe
• rundll32.exe

Click to jump to process

Memory Usage

• loaddll64.exe
• conhost.exe
• cmd.exe
• rundll32.exe

Click to jump to process

Click to jump to process

Target ID:	0
Start time:	01:33:20
Start date:	20/09/2023
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\3498_ED6E000.dll"
Imagebase:	0x7ff63fa50000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	01:33:20
Start date:	20/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:33:20
Start date:	20/09/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1
Imagebase:	0x7ff7a8120000
File size:	273'920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	01:33:20
Start date:	20/09/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\3498_ED6E000.dll",#1
Imagebase:	0x7ff6f8370000
File size:	69'632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	API monitoring, MBR, VBR
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: 3498_ED6E000.dll	String found in binary or memory: mimikatzpowershell_reflective_mimikatzpowerkatz.dllblog.gentilkiwi.com/mimikatzm
Source: 3498_ED6E000.dll	String found in binary or memory: qlog mimikatz input/output to filelog mimikatz input/output to file/mimikatz/mimikatzgentilkiwigentilkiwikiwi_msv1_0_credentialsmimikatzpowershell_reflective_mimikatzpowerkatz.dllblog.gentilkiwi.com/mimikatzmimikatz(commandline) # %smimikatz #mimikatz

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3498_ED6E000.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Privilege Escalation

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 6240, Parent PID: 3512

General

File Activities

File Opened

File Created

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Windows Analysis Report
3498_ED6E000.dll