Windows
Analysis Report
EMP.dll
Overview
General Information
Detection
Score: | 52 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
loaddll64.exe (PID: 3924 cmdline:
loaddll64. exe "C:\Us ers\user\D esktop\EMP .dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52) conhost.exe (PID: 5572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) cmd.exe (PID: 5588 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\EMP .dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F) rundll32.exe (PID: 5464 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\EMP. dll",#1 MD5: 73C519F050C20580F8A62C849D49215A) WerFault.exe (PID: 5896 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 464 -s 428 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) rundll32.exe (PID: 5568 cmdline:
rundll32.e xe C:\User s\user\Des ktop\EMP.d ll,EMP MD5: 73C519F050C20580F8A62C849D49215A) WerFault.exe (PID: 4212 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 5 568 -s 428 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0) WerFault.exe (PID: 7296 cmdline:
C:\Windows \system32\ WerFault.e xe -u -p 3 924 -s 472 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)
- cleanup
- • AV Detection
- • Networking
- • System Summary
- • Data Obfuscation
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
- • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: |
Source: | String found in binary or memory: |
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Code function: | 0_2_130EB9D4 | |
Source: | Code function: | 0_2_130EB9D4 | |
Source: | Code function: | 0_2_130EABCE | |
Source: | Code function: | 0_2_130EABCE | |
Source: | Code function: | 0_2_130E941F | |
Source: | Code function: | 0_2_130E941F | |
Source: | Code function: | 0_2_130EBA1A | |
Source: | Code function: | 0_2_130EBA1A | |
Source: | Code function: | 0_2_130E9E6F | |
Source: | Code function: | 0_2_130E9E6F | |
Source: | Code function: | 0_2_130EBE9C | |
Source: | Code function: | 0_2_130EBE9C | |
Source: | Code function: | 0_2_130EB6CF | |
Source: | Code function: | 0_2_130EB6CF | |
Source: | Code function: | 0_2_130EB9D4 | |
Source: | Code function: | 0_2_130EB9D4 | |
Source: | Code function: | 0_2_130EABCE | |
Source: | Code function: | 0_2_130EABCE | |
Source: | Code function: | 0_2_130E941F | |
Source: | Code function: | 0_2_130E941F | |
Source: | Code function: | 0_2_130EBA1A | |
Source: | Code function: | 0_2_130EBA1A | |
Source: | Code function: | 0_2_130E9E6F | |
Source: | Code function: | 0_2_130E9E6F | |
Source: | Code function: | 0_2_130EBE9C | |
Source: | Code function: | 0_2_130EBE9C | |
Source: | Code function: | 0_2_130EB6CF | |
Source: | Code function: | 0_2_130EB6CF | |
Source: | Code function: | 3_2_130EB9D4 | |
Source: | Code function: | 3_2_130EABCE | |
Source: | Code function: | 3_2_130E941F |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion |
---|
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Last function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: | 0_2_130017A4 |
Source: | Process created: | Jump to behavior |
Source: | Code function: | 0_2_13001374 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 11 Process Injection | 1 Rundll32 | OS Credential Dumping | 1 System Time Discovery | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Data Obfuscation | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 2 Software Packing | LSASS Memory | 121 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | 11 Process Injection | Security Account Manager | 2 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 DLL Side-Loading | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
36% | ReversingLabs | Win64.Adware.SbYinYing |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high |
Joe Sandbox Version: | 38.0.0 Beryl |
Analysis ID: | 1314161 |
Start date and time: | 2023-09-25 23:03:20 +02:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 5m 15s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 27 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample file name: | EMP.dll |
Detection: | MAL |
Classification: | mal52.evad.winDLL@11/14@0/0 |
EGA Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): BackgroundTrans ferHost.exe, WerFault.exe, bac kgroundTaskHost.exe, svchost.e xe, wuapihost.exe - Excluded IPs from analysis (wh
itelisted): 20.189.173.21, 52. 182.143.212, 20.189.173.20 - Excluded domains from analysis
(whitelisted): ris.api.iris.m icrosoft.com, onedsblobprdcus1 5.centralus.cloudapp.azure.com , login.live.com, blobcollecto r.events.data.trafficmanager.n et, onedsblobprdwus16.westus.c loudapp.azure.com, onedsblobpr dwus15.westus.cloudapp.azure.c om, tse1.mm.bing.net, ctldl.wi ndowsupdate.com, displaycatalo g.mp.microsoft.com, g.bing.com , watson.telemetry.microsoft.c om, arc.msn.com - Execution Graph export aborted
for target loaddll64.exe, PID 3924 because there are no exe cuted function - Execution Graph export aborted
for target rundll32.exe, PID 5568 because there are no exec uted function - Not all processes where analyz
ed, report is missing behavior information - VT rate limit hit for: EMP.dl
l
Time | Type | Description |
---|---|---|
23:04:07 | API Interceptor |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7912283210789232 |
Encrypted: | false |
SSDEEP: | 96:pxFNMPCap6JthNL7+f9pXIQcQgc6ObcEbcw372v+HbHgmksn3eZFDPCFYOyPdTxv:f/kC66iH+Kbh/jzR/u7s6S274lt+ |
MD5: | 702277A0E2536F3A5CB7C965593A383A |
SHA1: | CE3E23170B814303EF732360A64CBA0F4EABAE43 |
SHA-256: | 1A477275BE39BEEE69E79030948CA58AA909F2472C0C18B79E2952F7D82829C2 |
SHA-512: | 4720A242ECE439B73C5EF953ADD72558BB9F3259FE07DE8055EC7325202AD2E54BE4A700254AA95E8446ABD348356C98E56A5DE11363889D56DCB6764E16564C |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.797512079560428 |
Encrypted: | false |
SSDEEP: | 96:3SFv9Ri1yJPnyJjA55L7+f9pXIQcQgc6ObcEbcw37XaXz+HbHgSQgJPb9kp8WpsX:CFLiYJKPH+KbhnjUF/u7s6S274ltG3 |
MD5: | EDF4C6D3A614E8F89D9ED7119F6E3E40 |
SHA1: | 937CBE15A4A841AA1154ABD8F4D9047E6BEA274D |
SHA-256: | 0231545B9BD4F0E34154E311285EF7FD43430744F4A4CAE2BEF482D708D245D6 |
SHA-512: | 23EF7E23C335153814A3A9E76F51F0BB7132CD4FA196C3BDD7F8FF83740D024FCDE115187FFF32AED0E29FFA196A8444E547332776774F97A37B70089FBE2525 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 0.7978512197171237 |
Encrypted: | false |
SSDEEP: | 96:j5SFyVoRiRJPnyQjA55L7+f9pXIQcQgc6ObcEbcw37XaXz+HbHgSQgJPb9kp8WpS:jYRiRJKWH+KbhnjUF/u7s6S274ltG3 |
MD5: | D2B223B4EE43BCA9279C47159EC33BAF |
SHA1: | BD5309114D451621AE59566284392257787D59FB |
SHA-256: | 5BDF35B2D75BA9FBE8F7175331E0FA9AA0A61F9B30119C249BD70DBCABC82F29 |
SHA-512: | 0596AF36A3F74ADBD740BAB6C3567FCD34FEC1CFB3953338FF87F39EE31EA930718345DB386B5D48FE56B0800C566F08E4E97B89F795A970004EBAE1DB31EF03 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55166 |
Entropy (8bit): | 1.6147248087794916 |
Encrypted: | false |
SSDEEP: | 96:5x8L8NG8RA6bKDN+Qttdl1oi7C51mts9M1Zd2TgzRR9GZdj3PnPXZ9JE9+LOdy39:kwR2DwwhCOC5G1lUb3PB9Q+i43JCJMM6 |
MD5: | 67B7CD3F4647ECE62C5D93A4EAE6C8D3 |
SHA1: | 90F2CAB2861F14E3A0C41AAF2B90D49B9B7928A5 |
SHA-256: | 6F478F144CB8628188518095AAB66C00E498CF8DFDD698509711CDBF6E2787F4 |
SHA-512: | DBBD1605569318D6615E5810A35D420C001B5E452DBBDD73477842CF66C0189BA1D3D5D0C43512910DC5C3B722C2561C257BDB64C5634A9C869DBD5BA593E2D1 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 54642 |
Entropy (8bit): | 1.6171142072158011 |
Encrypted: | false |
SSDEEP: | 96:5x80I8NG8HdiAbKDN+2qt2lx9oi7C51mts9MO/Jgzb3VVG2TBQFxGWU72L2Hbcsj:kkWDwlIKOC5G+wkywsd6DVvRC |
MD5: | 516579226433EC7D3989ACB88DEB942E |
SHA1: | 004843AA873C7DA9E6C0C87C9B44E5B6BDC69CF2 |
SHA-256: | AA9CD063EDA6A56E4D38D70DE01D0EA62CC38779EDCD8EB22242B5D1C311978B |
SHA-512: | 78ABF86CBF1821DDC87818847AFFDCBD152A4B9AE9B1C634B6D109AE9E1B8ACC3EBE8A103CBF86B63E8FEB7A2B3DA240723E86516D874659715B5B2C05B58B72 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8664 |
Entropy (8bit): | 3.692663772965566 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNibGQk6Y1v9gmfc2S/+pD989b8+ZfTUm:RrlsNiaz6Y99gmfc2SR8QfF |
MD5: | 6D6601235AE9A857A0CE120EBABD3977 |
SHA1: | A7C2BFBBCBF2321DFD9C00CA6E0E9DBC04D37125 |
SHA-256: | 4C391B88978BBE2A4FAF398784265FE0810648DC2E86E0B9FE297BA7C8189539 |
SHA-512: | 067F9CA087CA79E3250EE07D37F78565323E2CF86BF3E27DDB69531B04CA4B9C838EC846C0E7335EC32751AF2E8F8882463687D8989938D25F9CB3ACE3F9AEAD |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4698 |
Entropy (8bit): | 4.458593073805062 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsVJgtBI9BMyWgc8sqYj18fm8M4JCZCQPFwbjyq85mpHZESC5Sdd:uITfvHMTgrsqYGJljfVvdd |
MD5: | 6FB41D59E6D9651461C9FDA7581932FA |
SHA1: | C878608A865B05A14D71E60CCA7773EFD4965F89 |
SHA-256: | 5CCAFD2EC49D2BA42A2C786572DE0B49B102A0905481E494032FC77BAC6A0CF0 |
SHA-512: | A5D3170EA31539C9BD3718C6A6537D789C2924555EA600B6A8EF46EA3037129660BDE7140EEEA3BDB0EB47D848E6EF4CA024A1899557BD85B6EA4788008C9280 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8476 |
Entropy (8bit): | 3.6910901221512806 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiepOz6YTLvgmfc2S/+pDT89bFCQfc/Xm:RrlsNiga6Y/vgmfc2SvFVfcO |
MD5: | B253114767C789AC9179F225FCA40842 |
SHA1: | 4CF8E70C208059469662DD4C8F19406045ED05A2 |
SHA-256: | ED202735DFE6CE88415DA60A21D0D121B94AF6D46324442A0E247B348D6850E4 |
SHA-512: | D8735823CF1BDDE2E6E6F712513FF70F83081090CDE9B1DCE491D029EC9F1DAA56713B162A9D0F5E5867D9B415D757F0E177C5B20F328F972AB3B45948F0750F |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4698 |
Entropy (8bit): | 4.458529432385507 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsVJgtBI9BMyWgc8sqYjm8fm8M4JCZCQPFLTyq85mpgDZESC5SKd:uITfvHMTgrsqYnJkYDVvKd |
MD5: | 9C4F14A0D441931737FDC72A101F7E60 |
SHA1: | C945ABC3BDE46C8D3D34BBF5321B4A610039B3F4 |
SHA-256: | D0A7D009503EB49AA05F74B4CC7396E10BEF059609CDA5EF8494D4242EAE822C |
SHA-512: | 67248382A4912A302A652DBEF47CDF6CDA0984FAC5555496C470FBBD269590AEA4AE95D6B42A6AB6C0C71801892E3313EF3A337CAF2D2EC5C8EADCB39BF1D790 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 55748 |
Entropy (8bit): | 1.638596220244389 |
Encrypted: | false |
SSDEEP: | 96:5H8g38NG8LBUPGL+txA89i767Ycts9MWBkYhgVQx8hj2Tpa7PhExWIHDI4iUGLJP:CHLWaqxL9O2YWWTgVbgfiUMJjXuios |
MD5: | 57A75AD75E41E7A650F174F28689E41B |
SHA1: | BFFA75FB4B6BC767CC26BF999F0C948026C573A5 |
SHA-256: | 83ABB7BFD20DE8FB0744B69ECB007A34045811D8ADEC867095D4C96C0491398B |
SHA-512: | CC68E237526036D4FD1813A7315DC7CE22518F183E56F385D4F780F08067220755F942B4EB8A6AB987D1A009BB7C87ED5BF01163F36967DA37017AB1A6719F8B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8492 |
Entropy (8bit): | 3.6913673668163995 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiFZP6Yp1WfpnVGgmfyS/+pDT89bDb8Qf8+pjm:RrlsNiLP6YrWfqgmfySvDbLf806 |
MD5: | C53804C66072BB9C12F68B0ED577E7A5 |
SHA1: | CAE70721C3F5E38F3E4D945568E49BD0A8808313 |
SHA-256: | FCFBABC71B4E45B969A9E8D94D18593FF453021CBBD60B13FB952BF9A4B3CA1D |
SHA-512: | FDF579601EE9B5D4D54280058E5B577A53D0747BD9D13F4A88A15FCC88D3CA53A99B03CC06D009EBBB5DBC2ACBACC36D62980171D609A12A4C6F94F62A87DA05 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4602 |
Entropy (8bit): | 4.426041675089467 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zsVJgtBI9BMyWgc8sqYjd8fm8M4J8PFf5yq853liFV1xid:uITfvHMTgrsqY2JK5miF7xid |
MD5: | 8B0BC330F05EF9E7987E009E5D2443FB |
SHA1: | 7CAB28685A9806D4F74A95034E6E7C0AA8A3EA97 |
SHA-256: | 9C65DAC06A87E5043E67210C28027AA4CB491A8D65F4CABA7A5C00B87E8669FC |
SHA-512: | 57E16F53B4313BE53EF650CA341E84F8DA426C6A011F11EEF1485AF44CD549496BF437E0B0C46AF3C9C2DB1D4E71E8107BC23C6777977DFF1D50E31EB86A4CA3 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.405400609408144 |
Encrypted: | false |
SSDEEP: | 12288:H95ZG0ubj7ybGLGqoM50UgAExAjeQGV1n1SYNnvRMkqGHrLTqqPGn8:d5ZG0ubj7ybGLGYR8 |
MD5: | 1869D3B73A0622F5DDE5FBE42A90F648 |
SHA1: | 13D2B521EAE2D413F86CED788E3273D83A8EDEBE |
SHA-256: | AE27FA732BB925D1566E9187D41803356E6CBF284F88F0ABA0B4810B01CF805B |
SHA-512: | FF81BB1095CA6002AD39B384231F374E0A9AD942CE9CC5E3F6C23770CD2265113ED1AB8928CD69D96DE96AB56A6B9C91A010D7C16FF634B09BA6294531F805C9 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Windows\System32\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 4.210114944342245 |
Encrypted: | false |
SSDEEP: | 768:xHbfXN+Bi+dYLRftdgFfiYWzgwS1Noe0eqniPTDv6kHF7mupUReJ2c2V:t9CiFLJplyokPRm |
MD5: | 8F25648C9E3A73C882F4D2C34267FE24 |
SHA1: | 68F9562CB59E167C6CFB6FA72201954ACE738B87 |
SHA-256: | 03FB82C54DC9CBBF862225F7828BBDDF98AF00F541AFF8AE547F8937EC11ED8A |
SHA-512: | A01813A81E6CD5660C404F151A08B6C0991327F506B10A08ECBA953E38F7F28B3E381252B44E589BC26551FCE51EADEBE2268EB6FE2CBB8A94FF42CF5944745A |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 5.3965188506585315 |
TrID: |
|
File name: | EMP.dll |
File size: | 2'381'096 bytes |
MD5: | db26ef4c084770c461977b805e039312 |
SHA1: | 2ad4a4f89a75adcb4e79dd9e8115deed8e428cc2 |
SHA256: | e87b0f184c717ac6c3338861c892363c4981d8a01b52a4cdb30df22cd549bb06 |
SHA512: | 7ec95c75a74f112e7f4a0b79e3ce91794e8e8b809a8e777bf1db135d48d5263648f4248d8c077e12eb32cd98324d1c4771275f3d9b10de57e8fe444e326d2b86 |
SSDEEP: | 49152:nHdluR2wA7Ebw12yeTewalYCZ0L1I/DMIyjqD3HlB2Rnud:HPu9AEBi5fy7R0 |
TLSH: | 5FB5D0AD625C335CC45E84F48133FD1AB1B5571E0AE998FA70DB7BA037EB024EA45B42 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...r.._..........# ................4.........................................$......H%... ................................ |
Icon Hash: | 7ae282899bbab082 |
Entrypoint: | 0x13001334 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x13000000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL |
DLL Characteristics: | HIGH_ENTROPY_VA |
Time Stamp: | 0x5F12FD72 [Sat Jul 18 13:47:30 2020 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | fc7124d57387852c0a6a634e9130bf57 |
Signature Valid: | false |
Signature Issuer: | CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
Signature Validation Error: | A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file |
Error Number: | -2146762495 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 222DFEBC887259F885FE13977610F5DA |
Thumbprint SHA-1: | D715230B535C8937B469632EC6158761FD18AD21 |
Thumbprint SHA-256: | 2F514022B216F43435225B25821A21AC3EF821E357AFE25DCE02E32473713140 |
Serial: | 5F9E06262D2EED425C886A4709350426 |
Instruction |
---|
jmp 00007F2D64BBD216h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
dec eax |
mov dword ptr [esp+20h], ebx |
push ebp |
dec eax |
mov ebp, esp |
dec eax |
sub esp, 20h |
dec eax |
mov eax, dword ptr [00001C88h] |
dec eax |
mov ebx, 2DDFA232h |
cdq |
sub eax, dword ptr [eax] |
add byte ptr [eax+3Bh], cl |
ret |
jne 00007F2D64976F76h |
dec eax |
and dword ptr [ebp+18h], 00000000h |
dec eax |
lea ecx, dword ptr [ebp+18h] |
call dword ptr [00000C72h] |
dec eax |
mov eax, dword ptr [ebp+18h] |
dec eax |
mov dword ptr [ebp+10h], eax |
call dword ptr [00000C5Ch] |
mov eax, eax |
dec eax |
xor dword ptr [ebp+10h], eax |
call dword ptr [00000C48h] |
mov eax, eax |
dec eax |
lea ecx, dword ptr [ebp+20h] |
dec eax |
xor dword ptr [ebp+10h], eax |
call dword ptr [00000C70h] |
mov eax, dword ptr [ebp+20h] |
dec eax |
lea ecx, dword ptr [ebp+10h] |
dec eax |
shl eax, 20h |
dec eax |
xor eax, dword ptr [ebp+20h] |
dec eax |
xor eax, dword ptr [ebp+10h] |
dec eax |
xor eax, ecx |
dec eax |
mov ecx, FFFFFFFFh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x26a0 | 0x48 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x26e8 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x249000 | 0xe9 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x247670 | 0x1a4 | .EMP1 |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x244200 | 0x1328 | .EMP1 |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x248000 | 0x90 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x21a0 | 0x130 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x2000 | 0xd0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x1000 | 0xe00 | False | 0.5248325892857143 | COM executable for DOS | 5.346418402387276 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x2000 | 0x1000 | 0xc00 | False | 0.5003255208333334 | data | 4.601490532139524 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x3000 | 0x1000 | 0x200 | False | 0.09765625 | DOS executable (block device driver \322f\324\377\3772) | 0.449785945830048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.pdata | 0x4000 | 0x1000 | 0x200 | False | 0.771484375 | data | 5.9356907934372565 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.EMP0 | 0x5000 | 0x1000 | 0x200 | False | 1.021484375 | data | 7.445405146578605 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data2 | 0x6000 | 0x17000 | 0x17000 | False | 0.10210385529891304 | data | 1.4747587984180186 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.EMP | 0x1d000 | 0x33000 | 0x33000 | False | 0.10063859528186274 | DOS executable (COM) | 1.6187273480022606 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.data3 | 0x50000 | 0x99000 | 0x99000 | False | 0.001003689236111111 | data | 0.0 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.EMP1 | 0xe9000 | 0x15e814 | 0x15ea00 | False | 0.8115028966131907 | data | 7.313338667858036 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.reloc | 0x248000 | 0x90 | 0x200 | False | 0.232421875 | data | 1.3813315586181503 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.rsrc | 0x249000 | 0xe9 | 0x200 | False | 0.333984375 | data | 2.5312981004807127 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_MANIFEST | 0x249058 | 0x91 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.8689655172413793 |
DLL | Import |
---|---|
KERNEL32.dll | IsDebuggerPresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsProcessorFeaturePresent, LoadLibraryA, UnhandledExceptionFilter, GetProcAddress, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext |
Name | Ordinal | Address |
---|---|---|
EMP | 1 | 0x13001010 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\loaddll64.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff614fa0000 |
File size: | 165'888 bytes |
MD5 hash: | 763455F9DCB24DFEECC2B9D9F8D46D52 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 1 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e86d0000 |
File size: | 625'664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 2 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7e86d0000 |
File size: | 273'920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 3 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7a1950000 |
File size: | 69'632 bytes |
MD5 hash: | 73C519F050C20580F8A62C849D49215A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 4 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7a1950000 |
File size: | 69'632 bytes |
MD5 hash: | 73C519F050C20580F8A62C849D49215A |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 8 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff702890000 |
File size: | 494'488 bytes |
MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 9 |
Start time: | 23:04:04 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff702890000 |
File size: | 494'488 bytes |
MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
Target ID: | 11 |
Start time: | 23:04:07 |
Start date: | 25/09/2023 |
Path: | C:\Windows\System32\WerFault.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff702890000 |
File size: | 494'488 bytes |
MD5 hash: | 2AFFE478D86272288BBEF5A00BBEF6A0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | true |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |