Edit tour

Windows Analysis Report
wwlib.dll

Overview

General Information

Sample name:	wwlib.dll
Analysis ID:	1513171
MD5:	b010e9152586cebd0343135577c30b95
SHA1:	1efc081d7520c113a7469d1c39eec3bc31578dd9
SHA256:	0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64native

loaddll32.exe (PID: 2684 cmdline: loaddll32.exe "C:\Users\user\Desktop\wwlib.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 5836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 4936 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 1308 cmdline: rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

WerFault.exe (PID: 5052 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 564 MD5: 40A149513D721F096DDF50C04DA2F01F)

WerFault.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 288 MD5: 40A149513D721F096DDF50C04DA2F01F)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: wwlib.dll	Virustotal: Detection: 61%			Perma Link
Source: wwlib.dll	ReversingLabs: Detection: 70%

Machine Learning detection for sample

Source: wwlib.dll

Joe Sandbox ML: detected

Source: wwlib.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: wwlib.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00D9E54B		0_2_00D9E54B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008D973B		4_2_008D973B

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 288

Source: wwlib.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal52.winDLL@8/8@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2684
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5836:304:WilStaging_02

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ccf1e794-ccd8-42f4-890f-d5b504199e77

Jump to behavior

Source: wwlib.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1

Source: wwlib.dll	Virustotal: Detection: 61%
Source: wwlib.dll	ReversingLabs: Detection: 70%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\wwlib.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 288
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 564
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: wwlib.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: wwlib.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: wwlib.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: wwlib.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: wwlib.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: wwlib.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: wwlib.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: wwlib.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008CC380 push eax; ret	4_2_008CC381
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008D86BC pushfd ; ret	4_2_008D8665
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008D86DC pushfd ; ret	4_2_008D86DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008CBDEC pushfd ; retf	4_2_008CBE01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008CD6F4 push eax; retn 0076h	4_2_008CD6F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008CC924 push eax; iretd	4_2_008CC925
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_008D8625 pushfd ; ret	4_2_008D8665

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
wwlib.dll	62%	Virustotal		Browse
wwlib.dll	71%	ReversingLabs	Win32.Trojan.Cxclnt
wwlib.dll	100%	Joe Sandbox ML

Domains and IPs

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1513171
Start date and time:	2024-09-18 15:15:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wwlib.dll
Detection:	MAL
Classification:	mal52.winDLL@8/8@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, svchost.exe
Execution Graph export aborted for target loaddll32.exe, PID 2684 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 1308 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Joe Sandbox View / Context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_84619e9591b14ffd14d04d20d4fb2bb9d71e6155_952b8cde_0884fe0d-2fdf-4506-bf1f-cf256b191eb2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6978599341943196
Encrypted:	false
SSDEEP:	96:yDyJcUz+y7sy9hXE75fMvXIxcQ2c6zhhcEAcw3z+a+z+HbHg/5rLnxZU6OyWZAX0:2yJrl7BmIPKvjRqDu76wfAIO8dH
MD5:	A554E68416B33F59EC6F87D2F126FCB0
SHA1:	6DE8C4EA0CFDA86558CBC498810653337F45C7B1
SHA-256:	0E4F4A889C596ACDEE1293B550411D85E41CF52C8D2910F0EB600A0C7F86726E
SHA-512:	72A40DC8B18476E50EBC32F745434ABE5F224CB5153A9DFD285B386495AAE114F3E96B1932C1FC22AEAF1E7A9D36500997EEFC3BC92DFE52C5A0970A3B8B258F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.1.3.9.0.4.1.0.3.1.8.5.6.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.8.8.4.f.e.0.d.-.2.f.d.f.-.4.5.0.6.-.b.f.1.f.-.c.f.2.5.6.b.1.9.1.e.b.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.9.4.6.f.6.b.7.-.9.c.8.8.-.4.c.c.d.-.8.1.9.8.-.4.0.f.2.2.c.c.1.6.f.3.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.7.c.-.0.0.0.1.-.0.0.4.9.-.a.e.1.a.-.8.f.1.7.c.d.0.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.3././.0.9././.1.5.:.0.8.:.2.3.:.4.4.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e8b2dddf5fd7deca6d6bda3a73b3f540ed433b_7522e4b5_b8307078-514d-4d49-8f00-5e5133ebcccb\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8066543684484254
Encrypted:	false
SSDEEP:	96:FnH6i1hVy0sj94sE75fMvXIxcQSc6zcEucw3P/a/z+HbHg/BQAS/YyNl4EfaA45D:ki1O0smM307jeT/Du76wfAIO8dci
MD5:	54792551133E624D4C285D27B60F1D7B
SHA1:	65C589195F02067EBB759FAD1AF3A46A59F3E31A
SHA-256:	D45703AA009090E5EE1D41D539DC74C93742734F9DAD4915444590024CB89550
SHA-512:	82A4DAF96089690E4A26C90E6B0E931779367E3E3A54D804F8970135995A523B6F0BCFD76CE23F0CF192A06AB6E4C990F12F66276C68EC3D300CCE79983CFA44
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.1.3.9.0.4.1.0.3.0.1.3.7.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.3.0.7.0.7.8.-.5.1.4.d.-.4.d.4.9.-.8.f.0.0.-.5.e.5.1.3.3.e.b.c.c.c.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.a.9.8.8.a.1.-.f.5.4.4.-.4.c.a.9.-.8.b.c.6.-.e.c.6.3.7.b.8.f.c.b.d.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.1.c.-.0.0.0.1.-.0.0.4.9.-.a.9.3.b.-.a.6.1.7.c.d.0.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.6././.0.8././.2.6.:.1.6.:.5.8.:.3.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5394.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Sep 18 13:17:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41292
Entropy (8bit):	1.9839455997086928
Encrypted:	false
SSDEEP:	96:5s85Wlz7q6w+nl9eoi75I4v4ZOiOk0Q/fRacXqtP35d0iMr/jR3dkM1ZksWI9bId:p5kG6wilNO5H4vcJ9w6Ifs/83fzjihr
MD5:	677F44213A4B1DF170629284CD6CCD13
SHA1:	A9ABC929E40478E052E1B4DD4AA7376BF4C7BCFA
SHA-256:	9E17A785A6F8CBA8B578971FCF24D188BF33AD83385B4596C04DA68E1F2704B6
SHA-512:	55A37AD78432C7E65F0BBB24D425337742813DFA2C47C443103B191A264FFBA661C5527170AD6B87447B93A0D3FD65D59D8B6D5D16805F830AC624C1A99C5D0F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f........................................>%..........T.......8...........T...............\...........H...........4...............................................................................bJ..............GenuineIntel...........T..............f.............................0..1...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A4.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Sep 18 13:17:21 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	44054
Entropy (8bit):	1.807860163483437
Encrypted:	false
SSDEEP:	192:0pLDkryNOuaCEN8dpVJjGYHBmS84wAqAt0T:cDkryAf/e5pbhmR4E
MD5:	8C4F44F4F0F7CAA63E4711BD76EA5886
SHA1:	9FBBA691E508D5AF7254D57CA089D91C11AF8C5D
SHA-256:	483C984E8198104B925E7F01BDFAADA6216B2736B21EA78A1C2C5BD742EBAB05
SHA-512:	41DDC011016432F597F84FBFEC541044CA240961225A06EA91887D5B1B7C5597B09D1A379D0C63B8FD2E2EE7BE8CA38457C7D7D679A99A3E7AEDEB0E143B9F92
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........f....................................$............... !..........`.......8...........T...........p...........................................................................................................bJ......D.......GenuineIntel...........T.......\|......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53F3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8274
Entropy (8bit):	3.691423813749632
Encrypted:	false
SSDEEP:	192:R9l7lZNiSa6R186YvWSUK1gmf63kpB+89b55sfHybTm:R9lnNin6Y6YOSUK1gmf6E5SfHb
MD5:	A5850D91044DEE746FC69260386115E6
SHA1:	9D1079F04D1DC3E159E9274B7B5277B802986C6D
SHA-256:	B2894C60600F8DB9263D545041B91703201010D8BAD5EAA274A09E09BD97817F
SHA-512:	328357F7E6FDFC9D612526B360E803C0789F6D2F538E9F799075D0339BBE71BDC61A32404AE998805C8F4146452EBAA77091C530CBBC33D4D957440A2EB6B4B1
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5402.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8226
Entropy (8bit):	3.692808823075337
Encrypted:	false
SSDEEP:	192:R9l7lZNiv+6D6Yrj6qgmfT1JkpBT89b5ssfvTm:R9lnNiG6D6Y/6qgmfT1Z5/fi
MD5:	B17D152C9DED873AA01704464D5EBEDC
SHA1:	4D0787CF4DCFAEAD800D4E33B3388F8096DDFB51
SHA-256:	AC66BD6A963E21B5CA2442AFDD465740695ED7FD3635EDE973D7BF97E81EF036
SHA-512:	9FD582231D1C7EDC4BFA9F219794E540C555AC2FA124F30C02E8BEFE49717931E99DA153F6F59A8F4FD2EF29453BFB3CEA5EC8D19EF1F39A1C235AF474679A4A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5442.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4789
Entropy (8bit):	4.4854515479341
Encrypted:	false
SSDEEP:	48:cvIwwtl8zs6Ye702I7VFJ5WS2Cfjkjrs3rm8M4JCdPkFtO+q8/wXGScSJd:uILf6N7GySPfzJFOlJ3Jd
MD5:	73F4E5CA22B41BB6C05233FEE5DF535B
SHA1:	47EFD591FC363C5080B9DABDBA9FE9245D1A9B63
SHA-256:	9A00BB98D1B1908C66D759470C2DCA355D46DF6DC44D5808AA789F405B509FA3
SHA-512:	B2A74A36B767A0628177C0A68DB9154EE8F7C1097F46A4242867649B0F7812DB7689377BEA3EA59E234644778D1BCB15951A940557B8CB682E48F4ABEEB4DBAC
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222849508" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5443.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4713
Entropy (8bit):	4.4632571660512195
Encrypted:	false
SSDEEP:	48:cvIwwtl8zs6Ye702I7VFJ5WS2Cfjkjws3rm8M4JykFw+q8nZKcQIcQwCNd:uILf6N7GySPfqJY6KkwCNd
MD5:	BBBF20AD64063F44326B7C1D6B1CFB49
SHA1:	5DB72CBA1B90820152428FAD6AEAA319DB11A8D2
SHA-256:	E2CAAEDF0EC19D24378B4752F0006EC45EF66DBF6CCD21E11D34E227D9897464
SHA-512:	3143862546199CC7C3425DEFE25857052E6574BB93FF92974A3AE7EF5DB5E2C6FEC96F895B72F929DD3D6FB1AC0F34ED978B5DD75DC9786A336FEAB5EB3E38C7
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222849508" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

GetModuleFileNameA, lstrcatA, CreateFileA, CloseHandle, GetCurrentThreadId, GetCurrentProcess, WriteFile, FlushFileBuffers, WideCharToMultiByte, GetFileSize, VirtualAlloc, ReadFile, SwitchToFiber, CreateFiber, GetProcAddress, GetModuleHandleA, ConvertThreadToFiber, VirtualProtect, VirtualFree, CreateFileW, DecodePointer, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedFlushSList, RaiseException, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapFree, HeapAlloc, GetStdHandle, GetFileType, LCMapStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, SetFilePointerEx, GetStringTypeW, SetStdHandle, GetConsoleOutputCP, GetConsoleMode, HeapSize, HeapReAlloc, WriteConsoleW

USER32.dll

MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

Memory Usage

• loaddll32.exe
• conhost.exe
• cmd.exe
• rundll32.exe
• WerFault.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\wwlib.dll"
Imagebase:	0x290000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff635bd0000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1
Imagebase:	0xdf0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\wwlib.dll",#1
Imagebase:	0xe60000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 288
Imagebase:	0xba0000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:17:20
Start date:	18/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 564
Imagebase:	0xba0000
File size:	482'640 bytes
MD5 hash:	40A149513D721F096DDF50C04DA2F01F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 00D9E54B Relevance: .8, Instructions: 832COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.79044325545.0000000000D9D000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d9d000_loaddll32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d51d09cebaa8b3ac53e37b0e73b883c26d79235de9a4d94b5344b459e3d7bae
Instruction ID: 50eda2594a6cfbf9788deed4e6138bc5a43ef8b3bf306053a4f5d39755f42a9e
Opcode Fuzzy Hash: 4d51d09cebaa8b3ac53e37b0e73b883c26d79235de9a4d94b5344b459e3d7bae
Instruction Fuzzy Hash: BDC1657214E7C19FC7474BA888691A57FB0AF0732475E86EBC0D58F4B3C728480ADB66

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.20268752678341
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wwlib.dll
File size:	75'776 bytes
MD5:	b010e9152586cebd0343135577c30b95
SHA1:	1efc081d7520c113a7469d1c39eec3bc31578dd9
SHA256:	0d91dfd16175658da35e12cafc4f8aa22129b42b7170898148ad516836a3344f
SHA512:	55b07a2b93172226eeb52a69a0ebdbab9f09351723342a89b1e1caab19d1eb98961843c637b10711c67a66c1d73547b247d3a5111f5b7fcb8b6d9316c7429354
SSDEEP:	1536:F1MzlSNbwRmcbPAh7lFsJINZDwN1sWAcdVHfUy22222QgFji:F1clK6mcbPUsINdwrVHfUy22222BFji
TLSH:	63737B057AD1D871E6BE2E352860D9A16B3E78124ED08DA73B49057E8F312C0DF35E6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........TK..:...:...:...9...:...?.{.:...>...:...?...:...>...:...9...:...;...:...;...:.7.3...:.7.....:.7.8...:.Rich..:................

Entrypoint:	0x10001d5c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x65E53976 [Mon Mar 4 03:01:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	87df6fcdfa2d0f7f5fb829a02d50abaa

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11624	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x15000	0xe58	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10e90	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x10ec8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc000	0x13c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa9b8	0xaa00	057a77b3f80069ab5d2c90dc96a6aea8	False	0.6120634191176471	COM executable for DOS	6.600940760480938	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xc000	0x5d2e	0x5e00	d42be509d4bdf85c65e9bcb5b121778e	False	0.4122340425531915	data	4.819049247056584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x12000	0x1530	0xa00	677eb4c8f6c8d99db7e7926d9ca0fe0f	False	0.151953125	data	1.9883808015499331	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x14000	0xf8	0x200	71f7e17ea60680f050fbbe9ca47768c9	False	0.3359375	data	2.5249599901333757	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x15000	0xe58	0x1000	1d58ce0c089ae0891ccac7a1a6ff278b	False	0.70703125	data	6.173559933410245	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wwlib.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_84619e9591b14ffd14d04d20d4fb2bb9d71e6155_952b8cde_0884fe0d-2fdf-4506-bf1f-cf256b191eb2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_e8b2dddf5fd7deca6d6bda3a73b3f540ed433b_7522e4b5_b8307078-514d-4d49-8f00-5e5133ebcccb\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5394.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53A4.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER53F3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5402.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5442.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5443.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 2684, Parent PID: 5000

General

Windows Analysis Report
wwlib.dll