Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
Analysis ID:	1427301
MD5:	bca3b499bf4edf8590ad273592fc411b
SHA1:	c18679cda189f68f8d7022055a7e5d6aff8d1e58
SHA256:	6fb6dc7049299c3172ee60c3f0a0319bd33d0c6b2c9836bf0051e59084e6fce0
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1264 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1440 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6388 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6500 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 1852 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 2132 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 2136 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 2108 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 6308 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 2508 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 2260 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 3656 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3372 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3040 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5896 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2 MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Virustotal: Detection: 57%			Perma Link

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 103.192.208.126:511
Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 101.71.135.228:300
Source: global traffic	TCP traffic: 192.168.2.5:49706 -> 101.71.135.229:300
Source: global traffic	TCP traffic: 192.168.2.5:49708 -> 103.192.208.9:300
Source: global traffic	TCP traffic: 192.168.2.5:49709 -> 103.192.208.76:300
Source: global traffic	TCP traffic: 192.168.2.5:49711 -> 115.236.153.233:300
Source: global traffic	TCP traffic: 192.168.2.5:49710 -> 115.236.153.228:300
Source: global traffic	TCP traffic: 192.168.2.5:49712 -> 45.124.76.252:300
Source: global traffic	TCP traffic: 192.168.2.5:49713 -> 103.192.208.113:300

Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.228
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.229
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.76
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.252
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.113
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.76
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.113
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.252
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.113
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.76
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.252
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.113
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.113
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.76
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.229
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.228
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.252
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.76
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.252
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.228
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.229
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.229
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.229
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: res3.csasnet.net

Source: loaddll32.exe, 00000000.00000003.2161044251.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2161332627.0000000002602000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2074042252.00000000044E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2073269346.0000000004358000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000006.00000002.2077003310.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000007.00000003.2101300407.0000000003F56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101015065.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000008.00000000.2102134892.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000009.00000003.2131275389.0000000005175000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2131536097.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000A.00000000.2132309835.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000B.00000003.2163928361.0000000004367000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163353058.00000000047D7000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000C.00000000.2162428498.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000D.00000003.2162958770.00000000046AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2167904419.0000000004230000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2163428078.00000000049AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2168011079.000000000452C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2168365522.000000000404D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2164459369.00000000044CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2165688153.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.anweishi.com

Source: clink410.exe.4.dr

Static PE information: Resource name: MYDATA type: DOS executable (COM)

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal48.winDLL@31/3@2/9

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\clink410.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Virustotal: Detection: 57%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static file information: File size 4792832 > 1048576

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x466e00

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\clink410.exe

Code function: 12_2_00BEC155 push ecx; ret

12_2_00BEC168

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\clink410.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_12-865

Source: C:\Users\user\Desktop\clink410.exe

API coverage: 9.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: clink410.exe, 0000000C.00000002.3317846298.00000000006CF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0gW

Source: C:\Users\user\Desktop\clink410.exe

API call chain: ExitProcess graph end node

graph_12-866

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe

Code function: 12_2_00BF2187 _memset,IsDebuggerPresent,

12_2_00BF2187

Source: C:\Users\user\Desktop\clink410.exe

Code function: 12_2_00BFE6F5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

12_2_00BFE6F5

Source: C:\Users\user\Desktop\clink410.exe

Code function: 12_2_00BF1AE2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

12_2_00BF1AE2

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior

Source: loaddll32.exe, 00000000.00000003.2161044251.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2161332627.0000000002602000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2074042252.00000000044E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: resNu=ProgmanSHELLDLL_DefViewSysListView32\pro.nlp.lnk\.lnk.lnk\.lnk\\pro.nlp ierr=FindResource err
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Binary or memory string: USER32.DLLMessageBoxWGetActiveWindowGetLastActivePopupGetUserObjectInformationWGetProcessWindowStationCreateFile2CONOUT$1#SNAN1#IND1#INF1#QNANgenericunknown erroriostreamiostream stream errorsystem%dMYDATA.execlinkclinkMsgProgmanSHELLDLL_DefViewSysListView32string too longinvalid string positionbad locale name: ios_base::badbit setios_base::failbit setios_base::eofbit set><vector<T> too longbad cast

Source: C:\Users\user\Desktop\clink410.exe

Code function: 6_2_00BF144D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_00BF144D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	42%	ReversingLabs	Win32.Trojan.Znyonm
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	57%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
res1.csasnet.com	0%	Virustotal		Browse
res3.csasnet.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.anweishi.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
res1.csasnet.com	115.236.153.253	true	false	0%, Virustotal, Browse	unknown
res3.csasnet.net	115.236.153.254	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.anweishi.com	loaddll32.exe, 00000000.00000003.2161044251.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2161332627.0000000002602000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2074042252.00000000044E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2073269346.0000000004358000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000006.00000002.2077003310.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000007.00000003.2101300407.0000000003F56000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.2101015065.00000000043C1000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000008.00000000.2102134892.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000009.00000003.2131275389.0000000005175000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.2131536097.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000A.00000000.2132309835.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000B.00000003.2163928361.0000000004367000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.2163353058.00000000047D7000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000C.00000000.2162428498.0000000000CAE000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000D.00000003.2162958770.00000000046AF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.2167904419.0000000004230000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2163428078.00000000049AB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.2168011079.000000000452C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2168365522.000000000404D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2164459369.00000000044CF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.2165688153.0000000004B5F000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
115.236.153.228	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
45.124.76.252	unknown	China	55720	GIGABIT-MYGigabitHostingSdnBhdMY	false
115.236.153.233	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
103.192.208.76	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
101.71.135.228	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
103.192.208.9	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
103.192.208.126	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
101.71.135.229	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
103.192.208.113	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427301
Start date and time:	2024-04-17 12:48:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
Detection:	MAL
Classification:	mal48.winDLL@31/3@2/9
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target clink410.exe, PID 1852 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
12:49:12	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
115.236.153.233	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
res1.csasnet.com	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse	45.124.76.254
res3.csasnet.net	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse	115.236.153.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GIGABIT-MYGigabitHostingSdnBhdMY	P5uKPY120j.elf	Get hash	malicious	Mirai	Browse	103.21.89.48
	x86	Get hash	malicious	Unknown	Browse	103.229.227.51
	http://18255.com	Get hash	malicious	Unknown	Browse	103.232.84.252
	11068-1106811068-11068.lnk	Get hash	malicious	NetSupport RAT, NetSupport Downloader, MalLnk	Browse	45.121.147.137
	5kh7DYQuRs.elf	Get hash	malicious	Unknown	Browse	103.85.108.56
	r8S55MyrFG.elf	Get hash	malicious	Mirai	Browse	103.71.179.248
	vyl0vd4LaO.elf	Get hash	malicious	Mirai	Browse	103.21.90.35
	9AMYQBwspv.elf	Get hash	malicious	Mirai	Browse	103.21.90.32
	Invoice_for_Return_of_Excess_Amount_(Temmuz)_.exe	Get hash	malicious	GuLoader, Remcos	Browse	103.212.71.108
CT-HANGZHOU-IDCNo288Fu-chunRoadCN	OuJmSE9GcF.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.239.80.230
	DqbYZ8Ns4k.elf	Get hash	malicious	Mirai	Browse	60.190.221.181
	sEzW1OZkw1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.100.229
	SPe0uXr3N3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.65.231
	SO8J3K15us.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.232
	dVbrHqaCf1.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.211
	21whXUKd06.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.147.243
	eiHXI8khyb.elf	Get hash	malicious	Mirai	Browse	183.131.107.149
	SecuriteInfo.com.Trojan.Siggen13.11902.1474.19881.exe	Get hash	malicious	Unknown	Browse	202.91.251.58
	3RIodZx5Hr.elf	Get hash	malicious	Mirai, Okiru	Browse	115.222.23.254
CT-HANGZHOU-IDCNo288Fu-chunRoadCN	OuJmSE9GcF.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.239.80.230
	DqbYZ8Ns4k.elf	Get hash	malicious	Mirai	Browse	60.190.221.181
	sEzW1OZkw1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.100.229
	SPe0uXr3N3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.65.231
	SO8J3K15us.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.232
	dVbrHqaCf1.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.211
	21whXUKd06.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.147.243
	eiHXI8khyb.elf	Get hash	malicious	Mirai	Browse	183.131.107.149
	SecuriteInfo.com.Trojan.Siggen13.11902.1474.19881.exe	Get hash	malicious	Unknown	Browse	202.91.251.58
	3RIodZx5Hr.elf	Get hash	malicious	Mirai, Okiru	Browse	115.222.23.254

Process:	C:\Users\user\Desktop\clink410.exe
File Type:	data
Category:	dropped
Size (bytes):	852
Entropy (8bit):	7.7767617232232285
Encrypted:	false
SSDEEP:	24:X2M71RpVqtCe5YTjLADkmQHqvDCKuRkSP9:ma1RLqcTXXmQK0RVP9
MD5:	018AB155EB16AED6DDFD346099F8A565
SHA1:	5DF872AA1C17ECB2215D20A7752AD921CDD9D034
SHA-256:	E97EBA2D034713B61C3985DF444118E71F1CB1C28FC92ABB93DCD5703FEC4688
SHA-512:	E1E9CA0AD5AEF365BE1C089761BE0A9E4453A9384E42AF1BC9F2DCBAD9955B47A35EA321CF22B4EE5A583534B8F0B38F8924D468AB12E0FAFE408DB53C850E6B
Malicious:	false
Preview:	P........u.5.U&3.W\;2.l.R.p.\-.....?EsM.....5.}.sf2n...F....u..=."... ...q......`i........!....bY5[...z.R'."..M.2.=..G..O.....0IDII-.._.%.. ..YK...xs.\|.&ct..]..l.Nk./Ee(r..$......j..V.:.......,Q..\|..w.^....iy.{.t(M........x...4cb>G.Q...D{.A.\f.r....(g.K..7...<@Z.F....&75+.h..s.Jb...B...(...-3.[).~..2..r..f6...........Eh.%.uC...s.UrfS.N..-d......cK.............p....X.[.9XC.....E...I..:.a@..k....\.....;..q..a....C.&.o.W3.:.`A...J.2W.....'....a.adL.ev..P.....r..f.?........H.YD..y.eGe.@.v,9......t.^...u.U..w.=...Ks.s....H.=.7....L].KI.F.C.'.f.'...[\|vp..V[.m.S......sX.Z.V.'.4.W-.Z....s...."C.x..........:..J.B...H..F..&..)x.,+.wW......s\....^.5..q......e.._..z...L..h.d..~o...l.uY..8gb.[..F.s...&v...a$-.y.!.LJ........V.....}..s]..o.]EF....'...x+g. ...v.(.....tn*~..!b..$...+...0..$.%6>.Cm.O.Z.tG.Y.2p..

C:\Users\user\AppData\Roaming\clinkm2.data

Download File

Process:	C:\Users\user\Desktop\clink410.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.10528770123697763
Encrypted:	false
SSDEEP:	3:VWAQWAsEiLlruX0v:RDzEilik
MD5:	ED9C5866CACB2C209F1B4A0198B85794
SHA1:	7C074383B09A85D712892FEFE2052FD1C3FFF177
SHA-256:	8CEC3950A9BF76E446E01B80E8231B34E37A7C8D480918B1B357A4263D89985C
SHA-512:	AC8945F15D326A96A2E129D6A4D720F5D6AFE1398BD576FEAD8D940B217C32884E0D6207C7D1D6A4ABDE486838F987EFE053C4B428911A38F41BE44B6321DD1B
Malicious:	false
Preview:	.S..a3e53e0cbf9d4a17918c875492cbce47....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\clink410.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4613632
Entropy (8bit):	7.043550339564266
Encrypted:	false
SSDEEP:	98304:tRdbR/SYR9T+fuJ4bB8qXmsNAGWN7Bo1xXXyIuBoPMFLOAkGkzdnEVomFHKnPc:tnhSfXrXio1xXXyBoPMFLOyomFHKnP
MD5:	F91DD2C9AB406FCA3F15680779305DCC
SHA1:	8EA7C1AA10A68211715E4363E11E915670DB33CF
SHA-256:	C2A193BC5741545E27EBBF7A728EA5629D48E0B73BD4112083497458F39E71FC
SHA-512:	F0413FB35AE79D81428BDB8B6CA96A1A9DE6A9601A49BABCF56DD94AC098C0DE4B04D06EDF816F633E32CD8CA7C59AA3A38A4A648937D959E33220604A1BF41C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........NL^./"../"../"..W.../"..W.../"..W.../"../#..,"..~.../"..~...."..~..Z."..}.../"..}.../"../.../"..}.../".Rich./".........PE..L....{.e.................b..........q............@..........................@G...........@..................................k".......#.x!...................E..(...................................9 .@............................................text....`.......b.................. ..`.rdata..(%.......&...f..............@..@.data....(....".......".............@....rsrc...x!...#..,!...#.............@..@.reloc...(....E.....<D.............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.089134093158391
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
File size:	4'792'832 bytes
MD5:	bca3b499bf4edf8590ad273592fc411b
SHA1:	c18679cda189f68f8d7022055a7e5d6aff8d1e58
SHA256:	6fb6dc7049299c3172ee60c3f0a0319bd33d0c6b2c9836bf0051e59084e6fce0
SHA512:	3935e1936d1b909a9719dcd5f3ee0526c8e840d04e6617ad1fa1b7f876046f5fa0f1e48a9a56d68d7a2ca87572030ea3df666af3e1a804a211375596ba1256ae
SSDEEP:	49152:pAkKo7fIMLsI7eAJceXxl5h7+JF3HYgijO6WDZwdKYQgf3RjFkhDa+nRk2H8d:pP37fIceAJLkvCO6WDZwdKggh2
TLSH:	2926BF6E97E45E4DAB1B4BE59C3BA7E81942CF01656F86CF15C1CA44E3E8FCA104B390
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.S.>i..>i..>i..o...>i..o...>i..o..p>i..F...>i..>h..>i..l...>i..l...>i..l...>i..>...>i..l...>i.Rich.>i.........PE..L....{.e...

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1000981f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x650E7BCA [Sat Sep 23 05:46:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	702466d805e925a74c5b750dae64fa7a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FC800EADA97h
call 00007FC800EB7BF1h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007FC800EADA9Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 10027FB8h
call 00007FC800EB3997h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007FC800EADA9Eh
cmp dword ptr [1002B0C8h], esi
je 00007FC800EADB7Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007FC800EADA97h
cmp esi, 02h
jne 00007FC800EADAC7h
mov ecx, dword ptr [100213A0h]
test ecx, ecx
je 00007FC800EADA9Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FC800EADB47h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007FC800EAD8A6h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007FC800EADB30h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007FC800EA88A1h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007FC800EADABAh
test edi, edi
jne 00007FC800EADAB6h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007FC800EA8889h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007FC800EAD86Ch
mov eax, dword ptr [100213A0h]
test eax, eax
je 00007FC800EADA99h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x28610	0x9f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x286b0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x466d78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x494000	0x1d58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x269d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e51a	0x1e600	fdfd327103d4c6b5f1ae2c9f8e5277d7	False	0.5533773791152263	data	6.6333240223790195	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0x8eae	0x9000	82b586034e377c629f0798945d0aac6c	False	0.3738606770833333	data	4.70691480244013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x3d68	0x1c00	784047e184693078d96818b5ef4ac95f	False	0.30398995535714285	DOS executable (block device driver ght (c)	3.868903672114225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x466d78	0x466e00	ce26efbc85e994f9786410279fc316ee	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x494000	0x1d58	0x1e00	32ba9d88e438f1d15233c557d3e4f0ed	False	0.7600260416666667	data	6.546482667203409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MYDATA	0x2d100	0x466a14	data	Chinese	China	0.5479860305786133
RT_VERSION	0x493b18	0xdc	data	Chinese	China	0.6636363636363637
RT_MANIFEST	0x493bf8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	FindResourceW, GetLastError, SizeofResource, LoadResource, LockResource, CreatePipe, MultiByteToWideChar, CreateProcessW, WaitForSingleObject, CloseHandle, Sleep, CreateThread, WideCharToMultiByte, GetCurrentProcessId, GetModuleFileNameW, OpenProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, TerminateProcess, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEndOfFile, CreateFileW, OutputDebugStringW, WriteConsoleW, SetStdHandle, ReadConsoleW, LoadLibraryExW, HeapReAlloc, FreeEnvironmentStringsW, DeleteCriticalSection, EncodePointer, DecodePointer, GetStringTypeW, HeapFree, IsDebuggerPresent, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, GetCommandLineA, GetCurrentThreadId, RaiseException, RtlUnwind, HeapAlloc, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ExitProcess, GetModuleHandleExW, AreFileApisANSI, HeapSize, GetProcessHeap, IsValidCodePage, GetACP, GetOEMCP, GetStdHandle, GetFileType, WriteFile, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, FlushFileBuffers, GetModuleFileNameA, QueryPerformanceCounter, GetEnvironmentStringsW
USER32.dll	FindWindowW, PostMessageW, FindWindowExW
SHELL32.dll	SHChangeNotify

Exports

Name	Ordinal	Address
LoginPro	1	0x10003060
LoginTYFw	2	0x10003060
getXuhaoVal	3	0x10003040
getXuhaoVal2	4	0x10003050
xtLoginTYFw	5	0x10003070

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 12:49:14.485100985 CEST	49705	511	192.168.2.5	103.192.208.126
Apr 17, 2024 12:49:14.807378054 CEST	511	49705	103.192.208.126	192.168.2.5
Apr 17, 2024 12:49:14.807477951 CEST	49705	511	192.168.2.5	103.192.208.126
Apr 17, 2024 12:49:14.916455030 CEST	49705	511	192.168.2.5	103.192.208.126
Apr 17, 2024 12:49:15.239042997 CEST	511	49705	103.192.208.126	192.168.2.5
Apr 17, 2024 12:49:15.239115000 CEST	511	49705	103.192.208.126	192.168.2.5
Apr 17, 2024 12:49:15.239577055 CEST	49705	511	192.168.2.5	103.192.208.126
Apr 17, 2024 12:49:15.562057018 CEST	511	49705	103.192.208.126	192.168.2.5
Apr 17, 2024 12:49:15.562139988 CEST	49705	511	192.168.2.5	103.192.208.126
Apr 17, 2024 12:49:15.634104967 CEST	49707	300	192.168.2.5	101.71.135.228
Apr 17, 2024 12:49:15.634119034 CEST	49706	300	192.168.2.5	101.71.135.229
Apr 17, 2024 12:49:15.634169102 CEST	49708	300	192.168.2.5	103.192.208.9
Apr 17, 2024 12:49:15.637569904 CEST	49709	300	192.168.2.5	103.192.208.76
Apr 17, 2024 12:49:15.649703026 CEST	49711	300	192.168.2.5	115.236.153.233
Apr 17, 2024 12:49:15.649703026 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:15.649785042 CEST	49712	300	192.168.2.5	45.124.76.252
Apr 17, 2024 12:49:15.649858952 CEST	49713	300	192.168.2.5	103.192.208.113
Apr 17, 2024 12:49:15.958609104 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:15.958743095 CEST	49709	300	192.168.2.5	103.192.208.76
Apr 17, 2024 12:49:15.960041046 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:15.960112095 CEST	49713	300	192.168.2.5	103.192.208.113
Apr 17, 2024 12:49:15.974937916 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:15.975014925 CEST	49708	300	192.168.2.5	103.192.208.9
Apr 17, 2024 12:49:15.977905989 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:15.977982998 CEST	49712	300	192.168.2.5	45.124.76.252
Apr 17, 2024 12:49:15.994761944 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:15.994944096 CEST	49711	300	192.168.2.5	115.236.153.233
Apr 17, 2024 12:49:16.273011923 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:16.273801088 CEST	49713	300	192.168.2.5	103.192.208.113
Apr 17, 2024 12:49:16.283936977 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:16.287995100 CEST	49709	300	192.168.2.5	103.192.208.76
Apr 17, 2024 12:49:16.309159994 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:16.309751987 CEST	49712	300	192.168.2.5	45.124.76.252
Apr 17, 2024 12:49:16.324863911 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:16.325393915 CEST	49708	300	192.168.2.5	103.192.208.9
Apr 17, 2024 12:49:16.340698004 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:16.341082096 CEST	49711	300	192.168.2.5	115.236.153.233
Apr 17, 2024 12:49:16.584072113 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:16.584135056 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:16.584193945 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:16.584315062 CEST	49713	300	192.168.2.5	103.192.208.113
Apr 17, 2024 12:49:16.600861073 CEST	49713	300	192.168.2.5	103.192.208.113
Apr 17, 2024 12:49:16.609379053 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:16.609409094 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:16.609427929 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:16.609512091 CEST	49709	300	192.168.2.5	103.192.208.76
Apr 17, 2024 12:49:16.633439064 CEST	49706	300	192.168.2.5	101.71.135.229
Apr 17, 2024 12:49:16.633451939 CEST	49707	300	192.168.2.5	101.71.135.228
Apr 17, 2024 12:49:16.637931108 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:16.637968063 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:16.637998104 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:16.638061047 CEST	49712	300	192.168.2.5	45.124.76.252
Apr 17, 2024 12:49:16.649025917 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:16.676723957 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:16.676781893 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:16.676822901 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:16.676893950 CEST	49708	300	192.168.2.5	103.192.208.9
Apr 17, 2024 12:49:16.686609030 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:16.686631918 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:16.686646938 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:16.686733007 CEST	49711	300	192.168.2.5	115.236.153.233
Apr 17, 2024 12:49:16.696866989 CEST	49709	300	192.168.2.5	103.192.208.76
Apr 17, 2024 12:49:16.701165915 CEST	49712	300	192.168.2.5	45.124.76.252
Apr 17, 2024 12:49:16.705121040 CEST	49708	300	192.168.2.5	103.192.208.9
Apr 17, 2024 12:49:16.708399057 CEST	49711	300	192.168.2.5	115.236.153.233
Apr 17, 2024 12:49:16.911205053 CEST	300	49713	103.192.208.113	192.168.2.5
Apr 17, 2024 12:49:17.019501925 CEST	300	49709	103.192.208.76	192.168.2.5
Apr 17, 2024 12:49:17.029577017 CEST	300	49712	45.124.76.252	192.168.2.5
Apr 17, 2024 12:49:17.037714005 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:17.037857056 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:17.053211927 CEST	300	49708	103.192.208.9	192.168.2.5
Apr 17, 2024 12:49:17.053338051 CEST	300	49711	115.236.153.233	192.168.2.5
Apr 17, 2024 12:49:17.431066036 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:17.432008982 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:17.831254959 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:17.831276894 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:17.831290007 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:17.831531048 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:17.836721897 CEST	49710	300	192.168.2.5	115.236.153.228
Apr 17, 2024 12:49:18.241391897 CEST	300	49710	115.236.153.228	192.168.2.5
Apr 17, 2024 12:49:18.649153948 CEST	49706	300	192.168.2.5	101.71.135.229
Apr 17, 2024 12:49:22.649034023 CEST	49706	300	192.168.2.5	101.71.135.229
Apr 17, 2024 12:49:30.649039030 CEST	49706	300	192.168.2.5	101.71.135.229

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 12:49:14.378323078 CEST	64342	53	192.168.2.5	1.1.1.1
Apr 17, 2024 12:49:14.589095116 CEST	64954	53	192.168.2.5	1.1.1.1
Apr 17, 2024 12:49:15.036900997 CEST	53	64342	1.1.1.1	192.168.2.5
Apr 17, 2024 12:49:15.472599030 CEST	53	64954	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 12:49:14.378323078 CEST	192.168.2.5	1.1.1.1	0xaa9f	Standard query (0)	res3.csasnet.net	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:14.589095116 CEST	192.168.2.5	1.1.1.1	0xe466	Standard query (0)	res1.csasnet.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 12:49:15.036900997 CEST	1.1.1.1	192.168.2.5	0xaa9f	No error (0)	res3.csasnet.net	115.236.153.254	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:15.036900997 CEST	1.1.1.1	192.168.2.5	0xaa9f	No error (0)	res3.csasnet.net	124.221.138.85	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:15.036900997 CEST	1.1.1.1	192.168.2.5	0xaa9f	No error (0)	res3.csasnet.net	103.192.208.126	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:15.472599030 CEST	1.1.1.1	192.168.2.5	0xe466	No error (0)	res1.csasnet.com	115.236.153.253	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:15.472599030 CEST	1.1.1.1	192.168.2.5	0xe466	No error (0)	res1.csasnet.com	124.221.138.85	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:49:15.472599030 CEST	1.1.1.1	192.168.2.5	0xe466	No error (0)	res1.csasnet.com	45.124.76.254	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:49:03
Start date:	17/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll"
Imagebase:	0x270000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:49:03
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:49:03
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:49:03
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:49:03
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:49:04
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0xa70000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:49:06
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:49:06
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0xa70000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:49:09
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:49:09
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0xa70000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	true
Commandline:	clink410.exe
Imagebase:	0xa70000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	12:49:12
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2
Imagebase:	0x230000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	13.5%
Total number of Nodes:	222
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00BEDD11 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 00BEDD15

Part of subcall function 00BF0A49: GetLastError.KERNEL32(?,00000000,00BF0A37,00000000,00BEDCE1,00C94EE8,0000000C,00BEDE13,?), ref: 00BF0A4B
Part of subcall function 00BF0A49: __calloc_crt.LIBCMT ref: 00BF0A6C
Part of subcall function 00BF0A49: __initptd.LIBCMT ref: 00BF0A8E
Part of subcall function 00BF0A49: GetCurrentThreadId.KERNEL32 ref: 00BF0A95
Part of subcall function 00BF0A49: SetLastError.KERNEL32(00000000,00000000,00BF0A37,00000000,00BEDCE1,00C94EE8,0000000C,00BEDE13,?), ref: 00BF0AAD

__freeptd.LIBCMT ref: 00BEDD2F

Part of subcall function 00BEDE14: LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BEDD2E), ref: 00BEDE2E
Part of subcall function 00BEDE14: GetProcAddress.KERNEL32(00000000), ref: 00BEDE35
Part of subcall function 00BEDE14: EncodePointer.KERNEL32(00000000), ref: 00BEDE40
Part of subcall function 00BEDE14: DecodePointer.KERNEL32(00BEDD2E), ref: 00BEDE5B

ExitThread.KERNEL32 ref: 00BEDD38

Memory Dump Source

Source File: 0000000C.00000002.3318444437.0000000000A71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000C.00000002.3318422139.0000000000A70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318655352.0000000000C38000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318739313.0000000000C9B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318761261.0000000000C9E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CAB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000CAE000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000EA1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a70000_clink410.jbxd

Similarity

API ID: ErrorLastPointerThread$AddressCurrentDecodeEncodeExitLibraryLoadProc__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 21986956-0
Opcode ID: c6aeffb269254a3e8bf32e6740889ca3bbcfb6c01fdda354c2ba0d9f4becb35b
Instruction ID: 493a80b441b7b0d70e9434f6fc281a99a4e63d9b683fcd13f0d8406858ae7c0d
Opcode Fuzzy Hash: c6aeffb269254a3e8bf32e6740889ca3bbcfb6c01fdda354c2ba0d9f4becb35b
Instruction Fuzzy Hash: 74D0A935402B28BBC6223BABCC0A7AE76DCCF00B01F0041A8F9000A1339FB89D8581E6

Uniqueness

Uniqueness Score: -1.00%

Function 00BEDCD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF0A31: __getptd_noexit.LIBCMT ref: 00BF0A32

Part of subcall function 00BEDD11: __getptd_noexit.LIBCMT ref: 00BEDD15
Part of subcall function 00BEDD11: __freeptd.LIBCMT ref: 00BEDD2F
Part of subcall function 00BEDD11: ExitThread.KERNEL32 ref: 00BEDD38

__XcptFilter.LIBCMT ref: 00BEDCFD

Part of subcall function 00BF0765: __getptd_noexit.LIBCMT ref: 00BF0769

Memory Dump Source

Source File: 0000000C.00000002.3318444437.0000000000A71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000C.00000002.3318422139.0000000000A70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318655352.0000000000C38000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318739313.0000000000C9B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318761261.0000000000C9E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CAB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000CAE000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000EA1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a70000_clink410.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__freeptd
String ID:
API String ID: 1337255599-0
Opcode ID: 9923ad6dba1e531fbd98db9a2ac90609db9e64aba67aadddf79c3fbb8fcbfd4d
Instruction ID: d50ee27179a53dc195b019f9bfae0a2f7c074682fca74d314c838e953db6d7d7
Opcode Fuzzy Hash: 9923ad6dba1e531fbd98db9a2ac90609db9e64aba67aadddf79c3fbb8fcbfd4d
Instruction Fuzzy Hash: 04E0ECB59506049FDB08FBA1C94AE2E77B4EF44701F2004D8F101AB2B2DB75AD459B21

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00BF1AE2 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00BF2285,?), ref: 00BF1AE7
UnhandledExceptionFilter.KERNEL32(?), ref: 00BF1AF0

Memory Dump Source

Source File: 0000000C.00000002.3318444437.0000000000A71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000C.00000002.3318422139.0000000000A70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318655352.0000000000C38000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318739313.0000000000C9B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318761261.0000000000C9E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CAB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000CAE000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000EA1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a70000_clink410.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a1f604e1448dea1be8d6f67223db6aa6fbc90373ac6ace4c1790f37565a07464
Instruction ID: 1020487e6aeab5eab54bbf7866f71f46e04c9b835c8cd8770e0ba2b7ae124376
Opcode Fuzzy Hash: a1f604e1448dea1be8d6f67223db6aa6fbc90373ac6ace4c1790f37565a07464
Instruction Fuzzy Hash: 03B09231064308ABCB002B91EC09B5C7F2CEB05656F004010F60D440618F7265168AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00BEDD3F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00BEDE08,?), ref: 00BEDD59
GetProcAddress.KERNEL32(00000000), ref: 00BEDD60
EncodePointer.KERNEL32(00000000), ref: 00BEDD6C
DecodePointer.KERNEL32(00000001,00BEDE08,?), ref: 00BEDD89

Strings

combase.dll, xrefs: 00BEDD54
RoInitialize, xrefs: 00BEDD48

Memory Dump Source

Source File: 0000000C.00000002.3318444437.0000000000A71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000C.00000002.3318422139.0000000000A70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318655352.0000000000C38000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318739313.0000000000C9B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318761261.0000000000C9E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CAB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000CAE000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000EA1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a70000_clink410.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: dbbaf26ea593f64ffc3047dbff210f9105c4384baa390aa7d1e2d7be3eece6b8
Instruction ID: a8335ace4879039d6229740cdbc1d62324333eeea845670ae799d81b50325582
Opcode Fuzzy Hash: dbbaf26ea593f64ffc3047dbff210f9105c4384baa390aa7d1e2d7be3eece6b8
Instruction Fuzzy Hash: 21E0E5746A1341ABDA781B65AC4DB1936A8E745B1AF008034B111D21B0CFB4418D8F10

Uniqueness

Uniqueness Score: -1.00%

Function 00BEDE14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00BEDD2E), ref: 00BEDE2E
GetProcAddress.KERNEL32(00000000), ref: 00BEDE35
EncodePointer.KERNEL32(00000000), ref: 00BEDE40
DecodePointer.KERNEL32(00BEDD2E), ref: 00BEDE5B

Strings

RoUninitialize, xrefs: 00BEDE1D
combase.dll, xrefs: 00BEDE29

Memory Dump Source

Source File: 0000000C.00000002.3318444437.0000000000A71000.00000020.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true

Associated: 0000000C.00000002.3318422139.0000000000A70000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318655352.0000000000C38000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318739313.0000000000C9B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318761261.0000000000C9E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CA3000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318781669.0000000000CAB000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000CAE000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3318824471.0000000000EA1000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_a70000_clink410.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 50044b065c11ff19c4f48cec3603ecc4faf1163c174cd567b9d93e3bb8fd160b
Instruction ID: 9f82dabc9134882f61d704b7b08ec50de5da33e8c95232fe5cab6d6212dd69fc
Opcode Fuzzy Hash: 50044b065c11ff19c4f48cec3603ecc4faf1163c174cd567b9d93e3bb8fd160b
Instruction Fuzzy Hash: 1CE092B0A92341ABDFA95F60ED4DB0A7BA8B705B19F100864B101D62F0CFB4850C8F20

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\awsip\cloudx410.ip

C:\Users\user\AppData\Roaming\clinkm2.data

C:\Users\user\Desktop\clink410.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Function 00BEDD11 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMONLIBRARYCODE

Function 00BEDCD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMONLIBRARYCODE

Function 00BF1AE2 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 00BEDD3F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24
libraryloaderCOMMONLIBRARYCODE

Function 00BEDE14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE