Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
Analysis ID:	1427301
MD5:	bca3b499bf4edf8590ad273592fc411b
SHA1:	c18679cda189f68f8d7022055a7e5d6aff8d1e58
SHA256:	6fb6dc7049299c3172ee60c3f0a0319bd33d0c6b2c9836bf0051e59084e6fce0
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6892 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7028 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7124 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 3272 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 7056 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4108 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 7136 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 5264 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 4124 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 1668 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro MD5: 889B99C52A60DD49227C5E485A016679)

clink410.exe (PID: 5844 cmdline: clink410.exe MD5: F91DD2C9AB406FCA3F15680779305DCC)

rundll32.exe (PID: 4412 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7128 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6548 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 6848 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2 MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Virustotal: Detection: 57%			Perma Link

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 103.192.208.126:511
Source: global traffic	TCP traffic: 192.168.2.4:49731 -> 103.192.208.9:300
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 101.71.135.228:300
Source: global traffic	TCP traffic: 192.168.2.4:49734 -> 103.192.208.83:300
Source: global traffic	TCP traffic: 192.168.2.4:49733 -> 101.71.135.233:300
Source: global traffic	TCP traffic: 192.168.2.4:49735 -> 115.236.153.239:300
Source: global traffic	TCP traffic: 192.168.2.4:49737 -> 115.236.153.233:300
Source: global traffic	TCP traffic: 192.168.2.4:49736 -> 45.124.76.226:300
Source: global traffic	TCP traffic: 192.168.2.4:49738 -> 103.192.208.102:300

Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.228
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.83
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.239
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.226
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.102
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.226
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.102
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.83
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.239
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.102
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.226
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.83
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.239
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.228
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.102
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.233
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.226
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.102
Source: unknown	TCP traffic detected without corresponding DNS query: 45.124.76.226
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.83
Source: unknown	TCP traffic detected without corresponding DNS query: 103.192.208.83
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.239
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.239
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 115.236.153.233
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.233
Source: unknown	TCP traffic detected without corresponding DNS query: 101.71.135.233
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: res3.csasnet.net

Source: loaddll32.exe, 00000000.00000003.1773920494.0000000003456000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1774376123.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1686864599.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1687946403.000000000423D000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000005.00000000.1689393916.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000006.00000003.1713610500.0000000005032000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1713918850.0000000004BBE000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000007.00000000.1714940304.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000008.00000003.1743938197.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1744254343.000000000486C000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000009.00000002.1746131392.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000A.00000003.1777754019.0000000004234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1776342658.00000000046A8000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000B.00000000.1778533242.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000C.00000003.1781322106.000000000423F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1777423633.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1778715442.00000000048A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1779752930.0000000004432000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1778966447.0000000005066000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1780620634.0000000004BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1779829623.00000000046AE000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: https://www.anweishi.com

Source: clink410.exe.3.dr

Static PE information: Resource name: MYDATA type: DOS executable (COM)

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal48.winDLL@31/3@4/9

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\clink410.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6916:120:WilError_03

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	ReversingLabs: Detection: 42%
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Virustotal: Detection: 57%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK
Source: C:\Users\user\Desktop\clink410.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static file information: File size 4792832 > 1048576

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x466e00

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\clink410.exe

Code function: 11_2_004DC155 push ecx; ret

11_2_004DC168

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\Desktop\clink410.exe

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe	Window / User API: threadDelayed 400			Jump to behavior
Source: C:\Users\user\Desktop\clink410.exe	Window / User API: threadDelayed 358			Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_11-864

Source: C:\Users\user\Desktop\clink410.exe

API coverage: 9.1 %

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: clink410.exe, 0000000B.00000002.3534735405.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\clink410.exe

API call chain: ExitProcess graph end node

graph_11-865

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\clink410.exe

Code function: 11_2_004EE6F5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_004EE6F5

Source: C:\Users\user\Desktop\clink410.exe

11_2_004EE6F5

Source: C:\Users\user\Desktop\clink410.exe

Code function: 11_2_004E1AE2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004E1AE2

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Users\user\Desktop\clink410.exe clink410.exe	Jump to behavior

Source: loaddll32.exe, 00000000.00000003.1773920494.0000000003456000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1774376123.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1686864599.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: resNu=ProgmanSHELLDLL_DefViewSysListView32\pro.nlp.lnk\.lnk.lnk\.lnk\\pro.nlp ierr=FindResource err
Source: SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	Binary or memory string: USER32.DLLMessageBoxWGetActiveWindowGetLastActivePopupGetUserObjectInformationWGetProcessWindowStationCreateFile2CONOUT$1#SNAN1#IND1#INF1#QNANgenericunknown erroriostreamiostream stream errorsystem%dMYDATA.execlinkclinkMsgProgmanSHELLDLL_DefViewSysListView32string too longinvalid string positionbad locale name: ios_base::badbit setios_base::failbit setios_base::eofbit set><vector<T> too longbad cast

Source: C:\Users\user\Desktop\clink410.exe

Code function: 5_2_004E144D GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_004E144D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	42%	ReversingLabs	Win32.Trojan.Znyonm
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll	57%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
res1.csasnet.com	0%	Virustotal		Browse
res3.csasnet.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.anweishi.com	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
res1.csasnet.com	124.221.138.85	true	false	0%, Virustotal, Browse	unknown
res3.csasnet.net	124.221.138.85	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.anweishi.com	loaddll32.exe, 00000000.00000003.1773920494.0000000003456000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1774376123.0000000002FDD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.1686864599.0000000004BFD000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1687946403.000000000423D000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000005.00000000.1689393916.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000006.00000003.1713610500.0000000005032000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1713918850.0000000004BBE000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000007.00000000.1714940304.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 00000008.00000003.1743938197.0000000004CE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000003.1744254343.000000000486C000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 00000009.00000002.1746131392.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000A.00000003.1777754019.0000000004234000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000003.1776342658.00000000046A8000.00000004.00000020.00020000.00000000.sdmp, clink410.exe, 0000000B.00000000.1778533242.000000000059E000.00000002.00000001.01000000.00000005.sdmp, rundll32.exe, 0000000C.00000003.1781322106.000000000423F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1777423633.00000000046BE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1778715442.00000000048A5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1779752930.0000000004432000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1778966447.0000000005066000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000E.00000003.1780620634.0000000004BEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.1779829623.00000000046AE000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
115.236.153.239	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
101.71.135.233	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
45.124.76.226	unknown	China	55720	GIGABIT-MYGigabitHostingSdnBhdMY	false
115.236.153.233	unknown	China	58461	CT-HANGZHOU-IDCNo288Fu-chunRoadCN	false
103.192.208.9	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
101.71.135.228	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
103.192.208.126	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
103.192.208.83	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false
103.192.208.102	unknown	China	17907	NUSKOPENuSkopePtyLtdAU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427301
Start date and time:	2024-04-17 12:55:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
Detection:	MAL
Classification:	mal48.winDLL@31/3@4/9
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .dll Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target clink410.exe, PID 3272 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
115.236.153.233	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
res3.csasnet.net	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse	115.236.153.254
res1.csasnet.com	1zDbKSIQpy.exe	Get hash	malicious	Unknown	Browse	45.124.76.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	RAV6MYlZkN.elf	Get hash	malicious	Gafgyt, Mirai	Browse	157.8.101.250
	lNd2199wA7.elf	Get hash	malicious	Gafgyt, Mirai	Browse	157.0.158.215
	xexngqLbiY.elf	Get hash	malicious	Gafgyt, Mirai	Browse	175.151.199.164
	nYoGq0v7bV.elf	Get hash	malicious	Gafgyt, Mirai	Browse	157.9.162.58
	4jSjfucaEg.elf	Get hash	malicious	Mirai	Browse	116.177.3.110
	SecuriteInfo.com.Trojan.Inject4.54824.15312.17403.exe	Get hash	malicious	Unknown	Browse	101.72.233.169
	2024#U5e74#U4e8c#U5b63#U5ea6#U5458#U5de5#U8865#U52a9#U6d41#U7a0b.docx.doc	Get hash	malicious	Unknown	Browse	211.93.212.129
	zfehGxWbb4.elf	Get hash	malicious	Mirai	Browse	182.122.239.165
CT-HANGZHOU-IDCNo288Fu-chunRoadCN	OuJmSE9GcF.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.239.80.230
	DqbYZ8Ns4k.elf	Get hash	malicious	Mirai	Browse	60.190.221.181
	sEzW1OZkw1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.100.229
	SPe0uXr3N3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.65.231
	SO8J3K15us.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.232
	dVbrHqaCf1.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.211
	21whXUKd06.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.147.243
	eiHXI8khyb.elf	Get hash	malicious	Mirai	Browse	183.131.107.149
	SecuriteInfo.com.Trojan.Siggen13.11902.1474.19881.exe	Get hash	malicious	Unknown	Browse	202.91.251.58
GIGABIT-MYGigabitHostingSdnBhdMY	P5uKPY120j.elf	Get hash	malicious	Mirai	Browse	103.21.89.48
	x86	Get hash	malicious	Unknown	Browse	103.229.227.51
	http://18255.com	Get hash	malicious	Unknown	Browse	103.232.84.252
	11068-1106811068-11068.lnk	Get hash	malicious	NetSupport RAT, NetSupport Downloader, MalLnk	Browse	45.121.147.137
	5kh7DYQuRs.elf	Get hash	malicious	Unknown	Browse	103.85.108.56
	r8S55MyrFG.elf	Get hash	malicious	Mirai	Browse	103.71.179.248
	vyl0vd4LaO.elf	Get hash	malicious	Mirai	Browse	103.21.90.35
	9AMYQBwspv.elf	Get hash	malicious	Mirai	Browse	103.21.90.32
CT-HANGZHOU-IDCNo288Fu-chunRoadCN	OuJmSE9GcF.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.239.80.230
	DqbYZ8Ns4k.elf	Get hash	malicious	Mirai	Browse	60.190.221.181
	sEzW1OZkw1.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.100.229
	SPe0uXr3N3.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.65.231
	SO8J3K15us.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.232
	dVbrHqaCf1.elf	Get hash	malicious	Gafgyt	Browse	115.220.147.211
	21whXUKd06.elf	Get hash	malicious	Gafgyt, Mirai	Browse	115.220.147.243
	eiHXI8khyb.elf	Get hash	malicious	Mirai	Browse	183.131.107.149
	SecuriteInfo.com.Trojan.Siggen13.11902.1474.19881.exe	Get hash	malicious	Unknown	Browse	202.91.251.58

Process:	C:\Users\user\Desktop\clink410.exe
File Type:	data
Category:	dropped
Size (bytes):	852
Entropy (8bit):	7.7767617232232285
Encrypted:	false
SSDEEP:	24:X2M71RpVqtCe5YTjLADkmQHqvDCKuRkSP9:ma1RLqcTXXmQK0RVP9
MD5:	018AB155EB16AED6DDFD346099F8A565
SHA1:	5DF872AA1C17ECB2215D20A7752AD921CDD9D034
SHA-256:	E97EBA2D034713B61C3985DF444118E71F1CB1C28FC92ABB93DCD5703FEC4688
SHA-512:	E1E9CA0AD5AEF365BE1C089761BE0A9E4453A9384E42AF1BC9F2DCBAD9955B47A35EA321CF22B4EE5A583534B8F0B38F8924D468AB12E0FAFE408DB53C850E6B
Malicious:	false
Preview:	P........u.5.U&3.W\;2.l.R.p.\-.....?EsM.....5.}.sf2n...F....u..=."... ...q......`i........!....bY5[...z.R'."..M.2.=..G..O.....0IDII-.._.%.. ..YK...xs.\|.&ct..]..l.Nk./Ee(r..$......j..V.:.......,Q..\|..w.^....iy.{.t(M........x...4cb>G.Q...D{.A.\f.r....(g.K..7...<@Z.F....&75+.h..s.Jb...B...(...-3.[).~..2..r..f6...........Eh.%.uC...s.UrfS.N..-d......cK.............p....X.[.9XC.....E...I..:.a@..k....\.....;..q..a....C.&.o.W3.:.`A...J.2W.....'....a.adL.ev..P.....r..f.?........H.YD..y.eGe.@.v,9......t.^...u.U..w.=...Ks.s....H.=.7....L].KI.F.C.'.f.'...[\|vp..V[.m.S......sX.Z.V.'.4.W-.Z....s...."C.x..........:..J.B...H..F..&..)x.,+.wW......s\....^.5..q......e.._..z...L..h.d..~o...l.uY..8gb.[..F.s...&v...a$-.y.!.LJ........V.....}..s]..o.]EF....'...x+g. ...v.(.....tn*~..!b..$...+...0..$.%6>.Cm.O.Z.tG.Y.2p..

C:\Users\user\AppData\Roaming\clinkm2.data

Download File

Process:	C:\Users\user\Desktop\clink410.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.10459074006210621
Encrypted:	false
SSDEEP:	3:WloQPkAxpVGXf:WlhJx7A
MD5:	9516D6570BE8077D083DCB800B1EF936
SHA1:	171B93385508DA32653F340CD64FC12AF66659A5
SHA-256:	7FBF06AEBF30AB57D2338DF5EBAEF2E64A0A4A755AB576D087091299B86867BC
SHA-512:	E13EBCD8D41D28512580FCEC0AC1D5AB9ED80C095192405E6689125290DA15C77DA189EB0E60A8F880BED920F0EB2351AB156EA3AF5506CF1CF303A5C7E2E9A2
Malicious:	false
Preview:	.S..b4f799d5ac2441ee98dfbaa92a0c2ba3....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\clink410.exe

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4613632
Entropy (8bit):	7.043550339564266
Encrypted:	false
SSDEEP:	98304:tRdbR/SYR9T+fuJ4bB8qXmsNAGWN7Bo1xXXyIuBoPMFLOAkGkzdnEVomFHKnPc:tnhSfXrXio1xXXyBoPMFLOyomFHKnP
MD5:	F91DD2C9AB406FCA3F15680779305DCC
SHA1:	8EA7C1AA10A68211715E4363E11E915670DB33CF
SHA-256:	C2A193BC5741545E27EBBF7A728EA5629D48E0B73BD4112083497458F39E71FC
SHA-512:	F0413FB35AE79D81428BDB8B6CA96A1A9DE6A9601A49BABCF56DD94AC098C0DE4B04D06EDF816F633E32CD8CA7C59AA3A38A4A648937D959E33220604A1BF41C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........NL^./"../"../"..W.../"..W.../"..W.../"../#..,"..~.../"..~...."..~..Z."..}.../"..}.../"../.../"..}.../".Rich./".........PE..L....{.e.................b..........q............@..........................@G...........@..................................k".......#.x!...................E..(...................................9 .@............................................text....`.......b.................. ..`.rdata..(%.......&...f..............@..@.data....(....".......".............@....rsrc...x!...#..,!...#.............@..@.reloc...(....E.....<D.............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.089134093158391
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll
File size:	4'792'832 bytes
MD5:	bca3b499bf4edf8590ad273592fc411b
SHA1:	c18679cda189f68f8d7022055a7e5d6aff8d1e58
SHA256:	6fb6dc7049299c3172ee60c3f0a0319bd33d0c6b2c9836bf0051e59084e6fce0
SHA512:	3935e1936d1b909a9719dcd5f3ee0526c8e840d04e6617ad1fa1b7f876046f5fa0f1e48a9a56d68d7a2ca87572030ea3df666af3e1a804a211375596ba1256ae
SSDEEP:	49152:pAkKo7fIMLsI7eAJceXxl5h7+JF3HYgijO6WDZwdKYQgf3RjFkhDa+nRk2H8d:pP37fIceAJLkvCO6WDZwdKggh2
TLSH:	2926BF6E97E45E4DAB1B4BE59C3BA7E81942CF01656F86CF15C1CA44E3E8FCA104B390
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_.S.>i..>i..>i..o...>i..o...>i..o..p>i..F...>i..>h..>i..l...>i..l...>i..l...>i..>...>i..l...>i.Rich.>i.........PE..L....{.e...

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1000981f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x650E7BCA [Sat Sep 23 05:46:50 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	702466d805e925a74c5b750dae64fa7a

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F160450FD67h
call 00007F1604519EC1h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F160450FD6Ch
add esp, 0Ch
pop ebp
retn 000Ch
push 0000000Ch
push 10027FB8h
call 00007F1604515C67h
xor eax, eax
inc eax
mov esi, dword ptr [ebp+0Ch]
test esi, esi
jne 00007F160450FD6Eh
cmp dword ptr [1002B0C8h], esi
je 00007F160450FE4Ah
and dword ptr [ebp-04h], 00000000h
cmp esi, 01h
je 00007F160450FD67h
cmp esi, 02h
jne 00007F160450FD97h
mov ecx, dword ptr [100213A0h]
test ecx, ecx
je 00007F160450FD6Eh
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call ecx
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F160450FE17h
push dword ptr [ebp+10h]
push esi
push dword ptr [ebp+08h]
call 00007F160450FB76h
mov dword ptr [ebp-1Ch], eax
test eax, eax
je 00007F160450FE00h
mov ebx, dword ptr [ebp+10h]
push ebx
push esi
push dword ptr [ebp+08h]
call 00007F160450AB71h
mov edi, eax
mov dword ptr [ebp-1Ch], edi
cmp esi, 01h
jne 00007F160450FD8Ah
test edi, edi
jne 00007F160450FD86h
push ebx
push eax
push dword ptr [ebp+08h]
call 00007F160450AB59h
push ebx
push edi
push dword ptr [ebp+08h]
call 00007F160450FB3Ch
mov eax, dword ptr [100213A0h]
test eax, eax
je 00007F160450FD69h
push ebx
push edi
push dword ptr [ebp+08h]
call eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x28610	0x9f	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x286b0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x466d78	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x494000	0x1d58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x269d0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x20000	0x164	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1e51a	0x1e600	fdfd327103d4c6b5f1ae2c9f8e5277d7	False	0.5533773791152263	data	6.6333240223790195	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x20000	0x8eae	0x9000	82b586034e377c629f0798945d0aac6c	False	0.3738606770833333	data	4.70691480244013	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x29000	0x3d68	0x1c00	784047e184693078d96818b5ef4ac95f	False	0.30398995535714285	DOS executable (block device driver ght (c)	3.868903672114225	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2d000	0x466d78	0x466e00	ce26efbc85e994f9786410279fc316ee	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x494000	0x1d58	0x1e00	32ba9d88e438f1d15233c557d3e4f0ed	False	0.7600260416666667	data	6.546482667203409	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
MYDATA	0x2d100	0x466a14	data	Chinese	China	0.5479860305786133
RT_VERSION	0x493b18	0xdc	data	Chinese	China	0.6636363636363637
RT_MANIFEST	0x493bf8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	FindResourceW, GetLastError, SizeofResource, LoadResource, LockResource, CreatePipe, MultiByteToWideChar, CreateProcessW, WaitForSingleObject, CloseHandle, Sleep, CreateThread, WideCharToMultiByte, GetCurrentProcessId, GetModuleFileNameW, OpenProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, TerminateProcess, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, SetEndOfFile, CreateFileW, OutputDebugStringW, WriteConsoleW, SetStdHandle, ReadConsoleW, LoadLibraryExW, HeapReAlloc, FreeEnvironmentStringsW, DeleteCriticalSection, EncodePointer, DecodePointer, GetStringTypeW, HeapFree, IsDebuggerPresent, IsProcessorFeaturePresent, GetSystemTimeAsFileTime, GetCommandLineA, GetCurrentThreadId, RaiseException, RtlUnwind, HeapAlloc, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SetLastError, InitializeCriticalSectionAndSpinCount, GetCurrentProcess, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetModuleHandleW, GetProcAddress, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ExitProcess, GetModuleHandleExW, AreFileApisANSI, HeapSize, GetProcessHeap, IsValidCodePage, GetACP, GetOEMCP, GetStdHandle, GetFileType, WriteFile, GetConsoleCP, GetConsoleMode, ReadFile, SetFilePointerEx, FlushFileBuffers, GetModuleFileNameA, QueryPerformanceCounter, GetEnvironmentStringsW
USER32.dll	FindWindowW, PostMessageW, FindWindowExW
SHELL32.dll	SHChangeNotify

Exports

Name	Ordinal	Address
LoginPro	1	0x10003060
LoginTYFw	2	0x10003060
getXuhaoVal	3	0x10003040
getXuhaoVal2	4	0x10003050
xtLoginTYFw	5	0x10003070

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 12:56:39.445784092 CEST	49730	511	192.168.2.4	103.192.208.126
Apr 17, 2024 12:56:39.784666061 CEST	511	49730	103.192.208.126	192.168.2.4
Apr 17, 2024 12:56:39.784786940 CEST	49730	511	192.168.2.4	103.192.208.126
Apr 17, 2024 12:56:39.879141092 CEST	49730	511	192.168.2.4	103.192.208.126
Apr 17, 2024 12:56:40.212502956 CEST	511	49730	103.192.208.126	192.168.2.4
Apr 17, 2024 12:56:40.212557077 CEST	511	49730	103.192.208.126	192.168.2.4
Apr 17, 2024 12:56:40.212793112 CEST	49730	511	192.168.2.4	103.192.208.126
Apr 17, 2024 12:56:40.544454098 CEST	511	49730	103.192.208.126	192.168.2.4
Apr 17, 2024 12:56:40.544749022 CEST	49730	511	192.168.2.4	103.192.208.126
Apr 17, 2024 12:56:40.613785028 CEST	49731	300	192.168.2.4	103.192.208.9
Apr 17, 2024 12:56:40.614008904 CEST	49732	300	192.168.2.4	101.71.135.228
Apr 17, 2024 12:56:40.614128113 CEST	49734	300	192.168.2.4	103.192.208.83
Apr 17, 2024 12:56:40.614128113 CEST	49733	300	192.168.2.4	101.71.135.233
Apr 17, 2024 12:56:40.629581928 CEST	49735	300	192.168.2.4	115.236.153.239
Apr 17, 2024 12:56:40.629662991 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:40.629672050 CEST	49736	300	192.168.2.4	45.124.76.226
Apr 17, 2024 12:56:40.629729033 CEST	49738	300	192.168.2.4	103.192.208.102
Apr 17, 2024 12:56:40.950510979 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:40.950716019 CEST	49731	300	192.168.2.4	103.192.208.9
Apr 17, 2024 12:56:40.960710049 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:40.960798979 CEST	49736	300	192.168.2.4	45.124.76.226
Apr 17, 2024 12:56:40.962286949 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:40.962363958 CEST	49738	300	192.168.2.4	103.192.208.102
Apr 17, 2024 12:56:40.964205980 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:40.964301109 CEST	49734	300	192.168.2.4	103.192.208.83
Apr 17, 2024 12:56:40.971519947 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:40.971611977 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:40.994245052 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:40.994498968 CEST	49735	300	192.168.2.4	115.236.153.239
Apr 17, 2024 12:56:41.277040958 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:41.277790070 CEST	49731	300	192.168.2.4	103.192.208.9
Apr 17, 2024 12:56:41.295011044 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:41.295634031 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:41.295702934 CEST	49738	300	192.168.2.4	103.192.208.102
Apr 17, 2024 12:56:41.296053886 CEST	49736	300	192.168.2.4	45.124.76.226
Apr 17, 2024 12:56:41.311743975 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:41.312141895 CEST	49734	300	192.168.2.4	103.192.208.83
Apr 17, 2024 12:56:41.363493919 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:41.363909960 CEST	49735	300	192.168.2.4	115.236.153.239
Apr 17, 2024 12:56:41.613579035 CEST	49732	300	192.168.2.4	101.71.135.228
Apr 17, 2024 12:56:41.613956928 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:41.613976955 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:41.613993883 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:41.614061117 CEST	49731	300	192.168.2.4	103.192.208.9
Apr 17, 2024 12:56:41.628297091 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:41.628333092 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:41.628346920 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:41.628528118 CEST	49738	300	192.168.2.4	103.192.208.102
Apr 17, 2024 12:56:41.628971100 CEST	49733	300	192.168.2.4	101.71.135.233
Apr 17, 2024 12:56:41.629533052 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:41.629587889 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:41.629616976 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:41.629620075 CEST	49731	300	192.168.2.4	103.192.208.9
Apr 17, 2024 12:56:41.629688978 CEST	49736	300	192.168.2.4	45.124.76.226
Apr 17, 2024 12:56:41.632885933 CEST	49738	300	192.168.2.4	103.192.208.102
Apr 17, 2024 12:56:41.635713100 CEST	49736	300	192.168.2.4	45.124.76.226
Apr 17, 2024 12:56:41.662787914 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:41.662803888 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:41.662856102 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:41.662909985 CEST	49734	300	192.168.2.4	103.192.208.83
Apr 17, 2024 12:56:41.665776968 CEST	49734	300	192.168.2.4	103.192.208.83
Apr 17, 2024 12:56:41.748388052 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:41.748447895 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:41.748461962 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:41.748514891 CEST	49735	300	192.168.2.4	115.236.153.239
Apr 17, 2024 12:56:41.751703024 CEST	49735	300	192.168.2.4	115.236.153.239
Apr 17, 2024 12:56:41.957993031 CEST	300	49731	103.192.208.9	192.168.2.4
Apr 17, 2024 12:56:41.965487957 CEST	300	49738	103.192.208.102	192.168.2.4
Apr 17, 2024 12:56:41.976735115 CEST	300	49736	45.124.76.226	192.168.2.4
Apr 17, 2024 12:56:42.018110991 CEST	300	49734	103.192.208.83	192.168.2.4
Apr 17, 2024 12:56:42.141474962 CEST	300	49735	115.236.153.239	192.168.2.4
Apr 17, 2024 12:56:42.356605053 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:42.356748104 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:43.628999949 CEST	49733	300	192.168.2.4	101.71.135.233
Apr 17, 2024 12:56:44.356564999 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:44.356700897 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:44.702009916 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:44.754036903 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:44.763570070 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:45.116656065 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:45.116704941 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:45.116741896 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:45.116838932 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:45.121320963 CEST	49737	300	192.168.2.4	115.236.153.233
Apr 17, 2024 12:56:45.470506907 CEST	300	49737	115.236.153.233	192.168.2.4
Apr 17, 2024 12:56:47.644722939 CEST	49733	300	192.168.2.4	101.71.135.233
Apr 17, 2024 12:56:55.644926071 CEST	49733	300	192.168.2.4	101.71.135.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 17, 2024 12:56:39.345613003 CEST	55976	53	192.168.2.4	1.1.1.1
Apr 17, 2024 12:56:39.552988052 CEST	57836	53	192.168.2.4	1.1.1.1
Apr 17, 2024 12:56:40.109301090 CEST	53	57836	1.1.1.1	192.168.2.4
Apr 17, 2024 12:56:40.348069906 CEST	55976	53	192.168.2.4	1.1.1.1
Apr 17, 2024 12:56:41.363590956 CEST	55976	53	192.168.2.4	1.1.1.1
Apr 17, 2024 12:56:41.388843060 CEST	53	55976	1.1.1.1	192.168.2.4
Apr 17, 2024 12:56:41.388865948 CEST	53	55976	1.1.1.1	192.168.2.4
Apr 17, 2024 12:56:41.467681885 CEST	53	55976	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 17, 2024 12:56:39.345613003 CEST	192.168.2.4	1.1.1.1	0xd1d4	Standard query (0)	res3.csasnet.net	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:39.552988052 CEST	192.168.2.4	1.1.1.1	0xa8c7	Standard query (0)	res1.csasnet.com	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:40.348069906 CEST	192.168.2.4	1.1.1.1	0xd1d4	Standard query (0)	res3.csasnet.net	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.363590956 CEST	192.168.2.4	1.1.1.1	0xd1d4	Standard query (0)	res3.csasnet.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 17, 2024 12:56:40.109301090 CEST	1.1.1.1	192.168.2.4	0xa8c7	No error (0)	res1.csasnet.com	124.221.138.85	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:40.109301090 CEST	1.1.1.1	192.168.2.4	0xa8c7	No error (0)	res1.csasnet.com	45.124.76.254	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:40.109301090 CEST	1.1.1.1	192.168.2.4	0xa8c7	No error (0)	res1.csasnet.com	115.236.153.253	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388843060 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	124.221.138.85	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388843060 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	103.192.208.126	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388843060 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	115.236.153.254	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388865948 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	124.221.138.85	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388865948 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	103.192.208.126	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.388865948 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	115.236.153.254	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.467681885 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	103.192.208.126	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.467681885 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	115.236.153.254	A (IP address)	IN (0x0001)	false
Apr 17, 2024 12:56:41.467681885 CEST	1.1.1.1	192.168.2.4	0xd1d4	No error (0)	res3.csasnet.net	124.221.138.85	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:56:27
Start date:	17/04/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll"
Imagebase:	0x160000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:56:27
Start date:	17/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:56:27
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:56:27
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginPro
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:56:27
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",#1
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	12:56:28
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0x360000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:56:30
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,LoginTYFw
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:56:30
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0x360000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	12:56:33
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll,getXuhaoVal
Imagebase:	0x7ff7699e0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	12:56:33
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	false
Commandline:	clink410.exe
Imagebase:	0x360000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	12:56:36
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginPro
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	12:56:36
Start date:	17/04/2024
Path:	C:\Users\user\Desktop\clink410.exe
Wow64 process (32bit):	true
Commandline:	clink410.exe
Imagebase:	0x360000
File size:	4'613'632 bytes
MD5 hash:	F91DD2C9AB406FCA3F15680779305DCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	12:56:36
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",LoginTYFw
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	12:56:37
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	12:56:37
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",xtLoginTYFw
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	12:56:37
Start date:	17/04/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll",getXuhaoVal2
Imagebase:	0xe00000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.4%
Total number of Nodes:	219
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004DDD11 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__getptd_noexit.LIBCMT ref: 004DDD15

Part of subcall function 004E0A49: GetLastError.KERNEL32(?,00000000,004E0A37,00000000,004DDCE1,00584EE8,0000000C,004DDE13,?), ref: 004E0A4B
Part of subcall function 004E0A49: __calloc_crt.LIBCMT ref: 004E0A6C
Part of subcall function 004E0A49: __initptd.LIBCMT ref: 004E0A8E
Part of subcall function 004E0A49: GetCurrentThreadId.KERNEL32 ref: 004E0A95
Part of subcall function 004E0A49: SetLastError.KERNEL32(00000000,00000000,004E0A37,00000000,004DDCE1,00584EE8,0000000C,004DDE13,?), ref: 004E0AAD

__freeptd.LIBCMT ref: 004DDD2F

Part of subcall function 004DDE14: LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004DDD2E), ref: 004DDE2E
Part of subcall function 004DDE14: GetProcAddress.KERNEL32(00000000), ref: 004DDE35
Part of subcall function 004DDE14: EncodePointer.KERNEL32(00000000), ref: 004DDE40
Part of subcall function 004DDE14: DecodePointer.KERNEL32(004DDD2E), ref: 004DDE5B

ExitThread.KERNEL32 ref: 004DDD38

Memory Dump Source

Source File: 0000000B.00000002.3533861385.0000000000361000.00000020.00000001.01000000.00000005.sdmp, Offset: 00360000, based on PE: true

Associated: 0000000B.00000002.3533815261.0000000000360000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534071818.0000000000528000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534139520.000000000058B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534161247.000000000058E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.0000000000593000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.000000000059B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.000000000059E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.0000000000791000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_360000_clink410.jbxd

Similarity

API ID: ErrorLastPointerThread$AddressCurrentDecodeEncodeExitLibraryLoadProc__calloc_crt__freeptd__getptd_noexit__initptd
String ID:
API String ID: 21986956-0
Opcode ID: 5f48a4bedb46a658b025ece92cb18b82e9a216479d160d5d608265e08e6532c3
Instruction ID: 53d92ab33bd0006188f60e1ea9f8a1b2d9af8c871e6f84e13f628ca424753828
Opcode Fuzzy Hash: 5f48a4bedb46a658b025ece92cb18b82e9a216479d160d5d608265e08e6532c3
Instruction Fuzzy Hash: A2D0A735802A14ABDA323BA7C81565F765C4F01709F00011FF410053178F7C5D8181DD

Uniqueness

Uniqueness Score: -1.00%

Function 004DDCD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E0A31: __getptd_noexit.LIBCMT ref: 004E0A32

Part of subcall function 004DDD11: __getptd_noexit.LIBCMT ref: 004DDD15
Part of subcall function 004DDD11: __freeptd.LIBCMT ref: 004DDD2F
Part of subcall function 004DDD11: ExitThread.KERNEL32 ref: 004DDD38

__XcptFilter.LIBCMT ref: 004DDCFD

Part of subcall function 004E0765: __getptd_noexit.LIBCMT ref: 004E0769

Memory Dump Source

Source File: 0000000B.00000002.3533861385.0000000000361000.00000020.00000001.01000000.00000005.sdmp, Offset: 00360000, based on PE: true

Associated: 0000000B.00000002.3533815261.0000000000360000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534071818.0000000000528000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534139520.000000000058B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534161247.000000000058E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.0000000000593000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.000000000059B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.000000000059E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.0000000000791000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_360000_clink410.jbxd

Similarity

API ID: __getptd_noexit$ExitFilterThreadXcpt__freeptd
String ID:
API String ID: 1337255599-0
Opcode ID: 0a1b56a9515b403454bd4287503ee2b5bf97d2a8a3c973b267bdd78434f1b1f4
Instruction ID: 27c59cde59c640088924ba1440ea116e1bb169912a094d6b070fe71c05b12a9b
Opcode Fuzzy Hash: 0a1b56a9515b403454bd4287503ee2b5bf97d2a8a3c973b267bdd78434f1b1f4
Instruction Fuzzy Hash: 97E0ECB59406059FDB04FBA2C946E2D77B9FF44705F20045EF501AB2A2DABCAD40DF25

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004E1AE2 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,004E2285,?), ref: 004E1AE7
UnhandledExceptionFilter.KERNEL32(?), ref: 004E1AF0

Memory Dump Source

Source File: 0000000B.00000002.3533861385.0000000000361000.00000020.00000001.01000000.00000005.sdmp, Offset: 00360000, based on PE: true

Associated: 0000000B.00000002.3533815261.0000000000360000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534071818.0000000000528000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534139520.000000000058B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534161247.000000000058E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.0000000000593000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.000000000059B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.000000000059E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.0000000000791000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_360000_clink410.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b47f8b8abcf030dec42e471ac009773a182a3456f182ac44e48270b9396cfd2c
Instruction ID: 496489b4fc01ab837b0c6f58ca4c04b89e0b82e39411f546e6e76f9ba957ca13
Opcode Fuzzy Hash: b47f8b8abcf030dec42e471ac009773a182a3456f182ac44e48270b9396cfd2c
Instruction Fuzzy Hash: A9B09231045208ABDB112BD1EC09B687F2CEF26656F004010F60D440A18F725527EA99

Uniqueness

Uniqueness Score: -1.00%

Function 004DDD3F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,004DDE08,?), ref: 004DDD59
GetProcAddress.KERNEL32(00000000), ref: 004DDD60
EncodePointer.KERNEL32(00000000), ref: 004DDD6C
DecodePointer.KERNEL32(00000001,004DDE08,?), ref: 004DDD89

Strings

RoInitialize, xrefs: 004DDD48
combase.dll, xrefs: 004DDD54

Memory Dump Source

Source File: 0000000B.00000002.3533861385.0000000000361000.00000020.00000001.01000000.00000005.sdmp, Offset: 00360000, based on PE: true

Associated: 0000000B.00000002.3533815261.0000000000360000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534071818.0000000000528000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534139520.000000000058B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534161247.000000000058E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.0000000000593000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.000000000059B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.000000000059E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.0000000000791000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_360000_clink410.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoInitialize$combase.dll
API String ID: 3489934621-340411864
Opcode ID: 1bd91ccdc51594f32f53b0fba1f76854bd9ef94fcefaaee4fe0d7b67dd71958c
Instruction ID: 9f8db4984c1b52b1df6c215c4f21e913134c62d4b2fdf927276cd66b2dfcdb4e
Opcode Fuzzy Hash: 1bd91ccdc51594f32f53b0fba1f76854bd9ef94fcefaaee4fe0d7b67dd71958c
Instruction Fuzzy Hash: A4E0ED70A922019BDF745BB49C09B253A69AB76B0BF429426B501D52B0CEB4448EAF10

Uniqueness

Uniqueness Score: -1.00%

Function 004DDE14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,004DDD2E), ref: 004DDE2E
GetProcAddress.KERNEL32(00000000), ref: 004DDE35
EncodePointer.KERNEL32(00000000), ref: 004DDE40
DecodePointer.KERNEL32(004DDD2E), ref: 004DDE5B

Strings

RoUninitialize, xrefs: 004DDE1D
combase.dll, xrefs: 004DDE29

Memory Dump Source

Source File: 0000000B.00000002.3533861385.0000000000361000.00000020.00000001.01000000.00000005.sdmp, Offset: 00360000, based on PE: true

Associated: 0000000B.00000002.3533815261.0000000000360000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534071818.0000000000528000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534139520.000000000058B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534161247.000000000058E000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.0000000000593000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534184831.000000000059B000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.000000000059E000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000B.00000002.3534231482.0000000000791000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_360000_clink410.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 1915ff07d943316b20a1c63fbbaf3ea7781e7e846304b3d36903c5f2fbad095b
Instruction ID: 3784bb97daacec316ca2cb53095cae8d32cb318c7ca690071286b12aeb81a5a6
Opcode Fuzzy Hash: 1915ff07d943316b20a1c63fbbaf3ea7781e7e846304b3d36903c5f2fbad095b
Instruction Fuzzy Hash: E2E09AB054B201ABDF655FA0AD1D7263B68BB36B06F124816B501D91A0CFB8484DAB64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\awsip\cloudx410.ip

C:\Users\user\AppData\Roaming\clinkm2.data

C:\Users\user\Desktop\clink410.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Windows Analysis Report
SecuriteInfo.com.Win32.DropperX-gen.16918.1810.dll

Function 004DDD11 Relevance: 4.5, APIs: 3, Instructions: 15
threadCOMMONLIBRARYCODE

Function 004DDCD0 Relevance: 1.5, APIs: 1, Instructions: 19
COMMONLIBRARYCODE

Function 004E1AE2 Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Function 004DDD3F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24
libraryloaderCOMMONLIBRARYCODE

Function 004DDE14 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19
libraryloaderCOMMONLIBRARYCODE