Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
b80aa0ad.dll

Overview

General Information

Sample name:b80aa0ad.dll
Analysis ID:1544111
MD5:8690de5c1ecebb3e9d57858cade1ef79
SHA1:de827f930b4fd06e891917c567fb269db978fa6d
SHA256:02c26cdda2a9bb2d751f539b0ce1cc3d5f4645478fc9b72bbbdc305789feab55
Infos:

Detection

Score:22
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

AI detected suspicious sample
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 3200 cmdline: loaddll64.exe "C:\Users\user\Desktop\b80aa0ad.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 1656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2328 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 5692 cmdline: rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
    • rundll32.exe (PID: 3404 cmdline: rundll32.exe C:\Users\user\Desktop\b80aa0ad.dll,boot_CryptX MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 89.1% probability
Source: b80aa0ad.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: classification engineClassification label: sus22.winDLL@8/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1656:120:WilError_03
Source: b80aa0ad.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\b80aa0ad.dll,boot_CryptX
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\b80aa0ad.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\b80aa0ad.dll,boot_CryptX
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\b80aa0ad.dll,boot_CryptXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: perl538.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: b80aa0ad.dllStatic PE information: Image base 0x180000000 > 0x60000000
Source: b80aa0ad.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: b80aa0ad.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeProcess queried: DebugPortJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Rundll32		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection		Security Account Manager1
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544111 Sample: b80aa0ad.dll Startdate: 28/10/2024 Architecture: WINDOWS Score: 22 17 AI detected suspicious sample 2->17 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        13 rundll32.exe 7->13         started        process5 15 rundll32.exe 9->15         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
b80aa0ad.dll0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544111
Start date and time:2024-10-28 20:49:30 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 55s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:b80aa0ad.dll
Detection:SUS
Classification:sus22.winDLL@8/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .dll
  • Stop behavior analysis, all processes terminated

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, otelrules.azureedge.net
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: b80aa0ad.dll

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (DLL) (console) x86-64, for MS Windows
Entropy (8bit):6.7429056292315845
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 86.43%
  • Win64 Executable (generic) (12005/4) 10.17%
  • Generic Win/DOS Executable (2004/3) 1.70%
  • DOS Executable Generic (2002/1) 1.70%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:b80aa0ad.dll
File size:821'760 bytes
MD5:8690de5c1ecebb3e9d57858cade1ef79
SHA1:de827f930b4fd06e891917c567fb269db978fa6d
SHA256:02c26cdda2a9bb2d751f539b0ce1cc3d5f4645478fc9b72bbbdc305789feab55
SHA512:be167c84432c0443344930e990d35a8695771a4b11621160803d51ece1fa56a9928d8d384c9e5cd255f8597f38f56e45f437f3d53bdeb248a4954912350fb49c
SSDEEP:12288:mBmc2APKrCM5PS6YZ1cB0zOZToqndgTQOVCbtadxao1PJV:mBmcLBGz0+znKT/Vi61
TLSH:4F057D23E7A001D4D5BE8234C82B9627DBB7B85123B493F71577DA999FA33325A36700
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.t.....................................................U.......sk..........A...........................Rich...................

File Icon

Icon Hash:7ae282899bbab082

Static PE Info

General

Entrypoint:0x18008acf0
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x180000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x6581C547 [Tue Dec 19 16:31:03 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:fe2583907928403977721b31fc0edd52

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007F2A98F41397h
call 00007F2A98F419D0h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007F2A98F41224h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [00001317h]
dec eax
mov ecx, ebx
call dword ptr [00001316h]
call dword ptr [00001300h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [00001324h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call dword ptr [000012C8h]
test eax, eax
je 00007F2A98F41399h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [0003B376h]
call 00007F2A98F4155Eh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [0003B45Dh], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [0003B3EDh], eax
dec eax
mov eax, dword ptr [0003B446h]
dec eax
mov dword ptr [0003B2B7h], eax

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0xc54200x4c.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT0xc546c0xc8.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION0xca0000x2f28.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0xcd0000x83c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0xc27f00x1c.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xc26b00x140.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x8c0000x2f8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x8a9f80x8aa00fa0b34a2b2f2f0098ae47a76989e37e3False0.4502032377141569data6.491879872715904IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x8c0000x39f660x3a00003cf37cfe4b470edd7cfa4256df98a0fFalse0.4979753165409483data6.672856425255049IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0xc60000x3d300x200983027c17169aeea2e022f032281674aFalse0.111328125DOS executable (block device driver \322f\324\377\3772)0.5255877636901187IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata0xca0000x2f280x3000c10cb547bfc79e1064835e463f6f23b5False0.5040690104166666data5.712883706825695IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0xcd0000x83c0xa003bf34910f834c6d6727dc3f6648081cfFalse0.46640625data4.922048450673919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLLImport
perl538.dllPerl_sv_isobject, Perl_newXS_deffile, Perl_newSVuv, Perl_sv_2bool_flags, Perl_sv_setiv_mg, Perl_sv_setref_pv, Perl_more_bodies, Perl_croak, Perl_newSVpv, Perl_sv_derived_from, Perl_sv_2pv_flags, Perl_newSViv, Perl_sv_2iv_flags, Perl_stack_grow, Perl_sv_setpvn, Perl_croak_nocontext, Perl_mg_get, Perl_sv_2pvbyte_flags, Perl_croak_xs_usage, Perl_sv_setnv_mg, Perl_sv_setuv_mg, Perl_xs_handshake, Perl_more_sv, Perl_sv_free2, Perl_hv_common_key_len, Perl_xs_boot_epilog, Perl_sv_backoff, Perl_sv_catpvf_nocontext, Perl_sv_2uv_flags, Perl_sv_2mortal, Perl_safesyscalloc, Perl_sv_2nv_flags, Perl_newSV, Perl_safesysfree, Perl_sv_grow, Perl_sv_isa, Perl_sv_newmortal, Perl_get_hv, Perl_cvgv_from_hek, Perl_newSVpvn, Perl_get_context
KERNEL32.dllDisableThreadLibraryCalls, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, IsProcessorFeaturePresent, InitializeSListHead, GetCurrentProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, IsDebuggerPresent, TerminateProcess, GetSystemTimeAsFileTime
ADVAPI32.dllCryptGenRandom, CryptReleaseContext, CryptAcquireContextA
VCRUNTIME140.dllmemmove, memcmp, __std_type_info_destroy_list, __C_specific_handler, memcpy, memset
api-ms-win-crt-string-l1-1-0.dllstrncmp, strcmp, strlen, toupper
api-ms-win-crt-heap-l1-1-0.dllfree, realloc, malloc, calloc
api-ms-win-crt-utility-l1-1-0.dll_rotl64, qsort
api-ms-win-crt-time-l1-1-0.dllclock
api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _execute_onexit_table, _register_onexit_function, _cexit, _initialize_narrow_environment, _configure_narrow_argv, _seh_filter_dll, _initterm_e, _initterm, _initialize_onexit_table

Exports

NameOrdinalAddress
boot_CryptX10x180036aa8

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:15:50:22
Start date:28/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\b80aa0ad.dll"
Imagebase:0x7ff6a1790000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:1
Start time:15:50:22
Start date:28/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff66e660000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:2
Start time:15:50:22
Start date:28/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1
Imagebase:0x7ff7f9b20000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:3
Start time:15:50:22
Start date:28/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe C:\Users\user\Desktop\b80aa0ad.dll,boot_CryptX
Imagebase:0x7ff6a9db0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

General

Target ID:4
Start time:15:50:22
Start date:28/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\b80aa0ad.dll",#1
Imagebase:0x7ff6a9db0000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Disassembly

No disassembly