Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ssowoface.dll

Overview

General Information

Sample name:ssowoface.dll
Analysis ID:1530868
MD5:030bcd5ede911a4c12bace4d0695fdf1
SHA1:5c861990cf2e07b99f37b21c4dc2d7a6fdfa8cd8
SHA256:4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Creates a process in suspended mode (likely to inject code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Sample execution stops while process was sleeping (likely an evasion)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5012 cmdline: loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 4960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1136 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 1720 cmdline: rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
        • cmd.exe (PID: 5232 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4916 cmdline: rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx MD5: EF3179D498793BF4234F708D3BE28633)
      • cmd.exe (PID: 3524 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rundll32.exe (PID: 4192 cmdline: rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx MD5: EF3179D498793BF4234F708D3BE28633)
      • cmd.exe (PID: 7104 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-10-10T16:15:36.016944+020020349451A Network Trojan was detected192.168.2.449731192.36.61.122443TCP

Click to jump to signature section

Show All Signature Results
Source: ssowoface.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Source: Network trafficSuricata IDS: 2034945 - Severity 1 - ET MALWARE Win32/Suspected Reverse Shell Connection : 192.168.2.4:49731 -> 192.36.61.122:443
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 192.36.61.122 443Jump to behavior
Source: Joe Sandbox ViewASN Name: EDIS-AS-EUAT EDIS-AS-EUAT
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: protectconnections.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: ssowoface.dllStatic PE information: invalid certificate
Source: classification engineClassification label: mal56.evad.winDLL@19/0@1/1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4960:120:WilError_03
Source: ssowoface.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceExJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceExJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
Source: ssowoface.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: ssowoface.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: ssowoface.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 1700Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: rundll32.exe, 00000003.00000002.1671384608.00000202CABD8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1671502440.0000023352BF8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.1701057969.00000175CDD22000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\rundll32.exeNetwork Connect: 192.36.61.122 443Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
111
Process Injection
1
Rundll32
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System2
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Virtualization/Sandbox Evasion
LSASS Memory11
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
Process Injection
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530868 Sample: ssowoface.dll Startdate: 10/10/2024 Architecture: WINDOWS Score: 56 36 protectconnections.com 2->36 40 Suricata IDS alerts for network traffic 2->40 10 loaddll64.exe 1 2->10         started        signatures3 process4 process5 12 rundll32.exe 10->12         started        15 cmd.exe 1 10->15         started        17 rundll32.exe 10->17         started        19 conhost.exe 10->19         started        signatures6 42 System process connects to network (likely due to code injection or exploit) 12->42 21 cmd.exe 12->21         started        23 rundll32.exe 15->23         started        26 cmd.exe 1 17->26         started        process7 dnsIp8 28 conhost.exe 21->28         started        38 protectconnections.com 192.36.61.122, 443, 49730, 49731 EDIS-AS-EUAT Sweden 23->38 30 cmd.exe 23->30         started        32 conhost.exe 26->32         started        process9 process10 34 conhost.exe 30->34         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
protectconnections.com
192.36.61.122
truetrue
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    192.36.61.122
    protectconnections.comSweden
    57169EDIS-AS-EUATtrue
    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1530868
    Start date and time:2024-10-10 16:14:50 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 5m 4s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Run name:Run with higher sleep bypass
    Number of analysed new started processes analysed:16
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:ssowoface.dll
    Detection:MAL
    Classification:mal56.evad.winDLL@19/0@1/1
    EGA Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Found application associated with file extension: .dll
    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • VT rate limit hit for: ssowoface.dll
    No simulations
    No context
    No context
    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    EDIS-AS-EUATmsws.msiGet hashmaliciousORPCBackdoorBrowse
    • 151.236.9.174
    msws.msiGet hashmaliciousORPCBackdoorBrowse
    • 151.236.9.174
    Mcb5K3TOWT.exeGet hashmaliciousUnknownBrowse
    • 192.36.38.33
    987123.exeGet hashmaliciousLummaC, Eternity Stealer, LummaC Stealer, SmokeLoader, Stealc, zgRATBrowse
    • 192.36.38.33
    16GAuqLUFK.exeGet hashmaliciousGlupteba, RedLine, SmokeLoader, StealcBrowse
    • 192.36.38.33
    NBHEkIKDCr.exeGet hashmaliciousGlupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5SystemzBrowse
    • 192.36.38.33
    file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
    • 192.36.38.33
    XqmbvBWVRN.elfGet hashmaliciousMiraiBrowse
    • 37.235.56.176
    Q9WWwskOzG.elfGet hashmaliciousMiraiBrowse
    • 151.236.13.222
    No context
    No context
    No created / dropped files found
    File type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
    Entropy (8bit):6.177604276001926
    TrID:
    • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
    • Win64 Executable (generic) (12005/4) 10.17%
    • Generic Win/DOS Executable (2004/3) 1.70%
    • DOS Executable Generic (2002/1) 1.70%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
    File name:ssowoface.dll
    File size:228'408 bytes
    MD5:030bcd5ede911a4c12bace4d0695fdf1
    SHA1:5c861990cf2e07b99f37b21c4dc2d7a6fdfa8cd8
    SHA256:4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2
    SHA512:39f7c0d817438b8346430b70821ef5a0056e8573357ce06f0f45b2893f2636b6005384fd46d4dfcee28f7b31a1bcddeca41bf9c59f543c7d637ebc5f1dfd75b7
    SSDEEP:3072:QelD1jZARe3+70Wm4laut/U1lqo8DLmHa5LOwzlSkYghm5KQFspLr5omGDLM:KQWmBut81Qo8DyHGqghpd
    TLSH:CC246C5A77A40CB8ECB78239C9534A06D7B27C164760E6CF03A0465ADF2F7D1993EB21
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........b.........................A.........../+....../+....../+.......................,.......,.......,......Rich...................
    Icon Hash:7ae282899bbab082
    Entrypoint:0x180008cd8
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x180000000
    Subsystem:windows gui
    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
    Time Stamp:0x66FE7786 [Thu Oct 3 10:52:54 2024 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:6
    OS Version Minor:0
    File Version Major:6
    File Version Minor:0
    Subsystem Version Major:6
    Subsystem Version Minor:0
    Import Hash:39f2a397d177ea36c4f18a77ec235b92
    Signature Valid:false
    Signature Issuer:O=Internet Widgits Pty Ltd, S=Some-State, C=AU
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 01/10/2024 12:10:19 01/10/2025 12:10:19
    Subject Chain
    • O=Internet Widgits Pty Ltd, S=Some-State, C=AU
    Version:3
    Thumbprint MD5:201A4767A6BEB5A9B496A401B55E7C3C
    Thumbprint SHA-1:3593F9FD21FD23C5C3F87AA41C3B9EEE024ABD53
    Thumbprint SHA-256:B1AF087847C12FE3143504DE651B0274D743BC375D798ED802A70A0EBEE69B3C
    Serial:07C60D17A50D610986826BF3907575AF0D464B27
    Instruction
    dec eax
    mov dword ptr [esp+08h], ebx
    dec eax
    mov dword ptr [esp+10h], esi
    push edi
    dec eax
    sub esp, 20h
    dec ecx
    mov edi, eax
    mov ebx, edx
    dec eax
    mov esi, ecx
    cmp edx, 01h
    jne 00007F5B2C878217h
    call 00007F5B2C878A8Ch
    dec esp
    mov eax, edi
    mov edx, ebx
    dec eax
    mov ecx, esi
    dec eax
    mov ebx, dword ptr [esp+30h]
    dec eax
    mov esi, dword ptr [esp+38h]
    dec eax
    add esp, 20h
    pop edi
    jmp 00007F5B2C8780B0h
    int3
    int3
    int3
    dec eax
    sub esp, 28h
    dec ebp
    mov eax, dword ptr [ecx+38h]
    dec eax
    mov ecx, edx
    dec ecx
    mov edx, ecx
    call 00007F5B2C878222h
    mov eax, 00000001h
    dec eax
    add esp, 28h
    ret
    int3
    int3
    int3
    inc eax
    push ebx
    inc ebp
    mov ebx, dword ptr [eax]
    dec eax
    mov ebx, edx
    inc ecx
    and ebx, FFFFFFF8h
    dec esp
    mov ecx, ecx
    inc ecx
    test byte ptr [eax], 00000004h
    dec esp
    mov edx, ecx
    je 00007F5B2C878225h
    inc ecx
    mov eax, dword ptr [eax+08h]
    dec ebp
    arpl word ptr [eax+04h], dx
    neg eax
    dec esp
    add edx, ecx
    dec eax
    arpl ax, cx
    dec esp
    and edx, ecx
    dec ecx
    arpl bx, ax
    dec edx
    mov edx, dword ptr [eax+edx]
    dec eax
    mov eax, dword ptr [ebx+10h]
    mov ecx, dword ptr [eax+08h]
    dec eax
    mov eax, dword ptr [ebx+08h]
    test byte ptr [ecx+eax+03h], 0000000Fh
    je 00007F5B2C87821Dh
    movzx eax, byte ptr [ecx+eax+03h]
    and eax, FFFFFFF0h
    dec esp
    add ecx, eax
    dec esp
    xor ecx, edx
    dec ecx
    mov ecx, ecx
    pop ebx
    jmp 00007F5B2C877A42h
    int3
    dec eax
    mov eax, esp
    dec eax
    mov dword ptr [eax+08h], ebx
    dec eax
    mov dword ptr [eax+10h], ebp
    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x338a00x54.rdata
    IMAGE_DIRECTORY_ENTRY_IMPORT0x338f40x50.rdata
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x380000x2268.pdata
    IMAGE_DIRECTORY_ENTRY_SECURITY0x376000x638
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x3b0000x948.reloc
    IMAGE_DIRECTORY_ENTRY_DEBUG0x2f6b00x38.rdata
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2f5700x140.rdata
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x250000x358.rdata
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x23a380x23c0075003e32083036bd757e9963379f1cf2False0.5513275786713286data6.4459001643525635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .rdata0x250000xf3760xf4006e852676476d08584f54374c167e84b6False0.3981653432377049data4.682165317882639IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .data0x350000x2a3c0x1400681e233c6ed5777b900db034c0ecb9bbFalse0.16640625DOS executable (block device driver)2.905293352714223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .pdata0x380000x22680x24005b5df6c0d7cdb5e1735a5f23e41cea6aFalse0.4645182291666667data5.17376077140543IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
    .reloc0x3b0000x9480xa0037eb0cf8c0640bc1c27302c544c5ce0eFalse0.4828125data5.298418755280868IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
    DLLImport
    KERNEL32.dllSetHandleInformation, Wow64DisableWow64FsRedirection, CreatePipe, GetCurrentDirectoryA, Sleep, GetSystemDirectoryA, CloseHandle, CreateProcessA, ReadFile, WriteFile, PeekNamedPipe, SetEndOfFile, WriteConsoleW, HeapSize, CreateFileW, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, GetFileSizeEx, SetFilePointerEx, GetStdHandle, GetFileType, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, RtlUnwind
    USER32.dllwsprintfA
    WS2_32.dllclosesocket, gethostbyname, WSAStartup, WSACleanup, socket, connect, inet_ntoa, htons, send, recv, inet_addr
    NameOrdinalAddress
    DoUpdateInstanceEx10x180006be0
    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
    2024-10-10T16:15:36.016944+02002034945ET MALWARE Win32/Suspected Reverse Shell Connection1192.168.2.449731192.36.61.122443TCP
    TimestampSource PortDest PortSource IPDest IP
    Oct 10, 2024 16:15:41.849252939 CEST49730443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:41.849304914 CEST44349730192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:41.849402905 CEST49730443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:41.851644993 CEST49731443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:41.851692915 CEST44349731192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:41.851897955 CEST49731443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:42.063920021 CEST49730443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:42.063949108 CEST44349730192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:42.064014912 CEST49731443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:42.064034939 CEST44349730192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:42.064049959 CEST49730443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:42.064069033 CEST44349730192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:42.064071894 CEST44349731192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:42.064146042 CEST49731443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:42.064160109 CEST44349731192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:42.064203024 CEST44349731192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:44.819339037 CEST49732443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:44.819447041 CEST44349732192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:44.819555044 CEST49732443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:45.032908916 CEST49732443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:45.033020020 CEST44349732192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:45.033107042 CEST44349732192.36.61.122192.168.2.4
    Oct 10, 2024 16:15:45.033113956 CEST49732443192.168.2.4192.36.61.122
    Oct 10, 2024 16:15:45.033152103 CEST44349732192.36.61.122192.168.2.4
    TimestampSource PortDest PortSource IPDest IP
    Oct 10, 2024 16:15:41.802845001 CEST6235453192.168.2.41.1.1.1
    Oct 10, 2024 16:15:41.840620995 CEST53623541.1.1.1192.168.2.4
    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
    Oct 10, 2024 16:15:41.802845001 CEST192.168.2.41.1.1.10xbf53Standard query (0)protectconnections.comA (IP address)IN (0x0001)false
    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
    Oct 10, 2024 16:15:41.840620995 CEST1.1.1.1192.168.2.40xbf53No error (0)protectconnections.com192.36.61.122A (IP address)IN (0x0001)false

    Click to jump to process

    Click to jump to process

    Click to dive into process behavior distribution

    Click to jump to process

    Target ID:0
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\loaddll64.exe
    Wow64 process (32bit):false
    Commandline:loaddll64.exe "C:\Users\user\Desktop\ssowoface.dll"
    Imagebase:0x7ff6ea060000
    File size:165'888 bytes
    MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:1
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:2
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
    Imagebase:0x7ff719fb0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:3
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe C:\Users\user\Desktop\ssowoface.dll,DoUpdateInstanceEx
    Imagebase:0x7ff677530000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:4
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",#1
    Imagebase:0x7ff7699e0000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:5
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\cmd.exe"
    Imagebase:0x7ff719fb0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:6
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\cmd.exe"
    Imagebase:0x7ff719fb0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:7
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:8
    Start time:10:15:40
    Start date:10/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:9
    Start time:10:15:43
    Start date:10/10/2024
    Path:C:\Windows\System32\rundll32.exe
    Wow64 process (32bit):false
    Commandline:rundll32.exe "C:\Users\user\Desktop\ssowoface.dll",DoUpdateInstanceEx
    Imagebase:0x7ff677530000
    File size:71'680 bytes
    MD5 hash:EF3179D498793BF4234F708D3BE28633
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:10
    Start time:10:15:43
    Start date:10/10/2024
    Path:C:\Windows\System32\cmd.exe
    Wow64 process (32bit):false
    Commandline:"C:\Windows\system32\cmd.exe"
    Imagebase:0x7ff719fb0000
    File size:289'792 bytes
    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:true

    Target ID:11
    Start time:10:15:43
    Start date:10/10/2024
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7699e0000
    File size:862'208 bytes
    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Has exited:true

    No disassembly