Windows Analysis Report
KLWsv.dll

Overview

General Information

Sample name: KLWsv.dll
Analysis ID: 1544175
MD5: 102bcd38e265b5ab30ea24a798b76d27
SHA1: 2fb9002e810ddf895610f5d46716d9ac76a9660e
SHA256: 2059cd1e58c75266c997315777dbe2bad3e65e9811b101ae74d9fdf2321a3be6
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: KLWsv.dll ReversingLabs: Detection: 66%
Uses 32bit PE files
Source: KLWsv.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: KLWsv.dll Static PE information: DYNAMIC_BASE, NX_COMPAT

System Summary
barindex
PE file contains section with special chars
Source: KLWsv.dll Static PE information: section name: .nv+
Source: KLWsv.dll Static PE information: section name: .[sg
Source: KLWsv.dll Static PE information: section name: .8E*
Source: KLWsv.dll Static PE information: section name: .A~F
Source: KLWsv.dll Static PE information: section name: .{oQ
Source: KLWsv.dll Static PE information: section name: .%".
PE file contains more sections than normal
Source: KLWsv.dll Static PE information: Number of sections : 16 > 10
Uses 32bit PE files
Source: KLWsv.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal72.evad.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:304:WilStaging_02
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose
Source: KLWsv.dll ReversingLabs: Detection: 66%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\KLWsv.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: magnification.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: KLWsv.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: KLWsv.dll Static file information: File size 32656384 > 1048576
Source: KLWsv.dll Static PE information: Raw size of .%". is bigger than: 0x100000 < 0x1f08600
Source: KLWsv.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .%".
PE file contains sections with non-standard names
Source: KLWsv.dll Static PE information: section name: .didata
Source: KLWsv.dll Static PE information: section name: .nv+
Source: KLWsv.dll Static PE information: section name: .[sg
Source: KLWsv.dll Static PE information: section name: .8E*
Source: KLWsv.dll Static PE information: section name: .A~F
Source: KLWsv.dll Static PE information: section name: .{oQ
Source: KLWsv.dll Static PE information: section name: .%".

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5568 base: 3F0005 value: E9 AB 2E D3 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5568 base: 77122EB0 value: E9 5A D1 2C 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5568 base: 9A0007 value: E9 6B DC 7B 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5568 base: 7715DC70 value: E9 9E 23 84 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4228 base: 2CA0005 value: E9 AB 2E 48 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4228 base: 77122EB0 value: E9 5A D1 B7 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4228 base: 2CB0007 value: E9 6B DC 4A 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 4228 base: 7715DC70 value: E9 9E 23 B5 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7384 base: 25C0005 value: E9 AB 2E B6 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7384 base: 77122EB0 value: E9 5A D1 49 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7384 base: 4010007 value: E9 6B DC 14 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7384 base: 7715DC70 value: E9 9E 23 EB 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 2D60005 value: E9 AB 2E 3C 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 77122EB0 value: E9 5A D1 C3 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 2D70007 value: E9 6B DC 3E 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5968 base: 7715DC70 value: E9 9E 23 C1 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2752 base: 2880005 value: E9 AB 2E 8A 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2752 base: 77122EB0 value: E9 5A D1 75 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2752 base: 43B0007 value: E9 6B DC DA 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2752 base: 7715DC70 value: E9 9E 23 25 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\loaddll32.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe System information queried: FirmwareTableInformation Jump to behavior
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D04A216
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D040402
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CFAA321
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CDD35F6
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CDE591B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D202049
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CFDBB6E
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6B375D6B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CED523E
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D0860DF
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CDF1A06
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CE142BC
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CE2D6A5
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D0A816B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6B8CD551
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D1E938B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CF8809B
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D004EBA
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6CE0F2C8
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6D06EDA4
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6B8DD7C1
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6AC8BF01
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6AD1EC80
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6A818F63
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6A845437
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6AC95790
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 698A5E3A
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6A887F4C
Source: C:\Windows\System32\loaddll32.exe API/Special instruction interceptor: Address: 6AB49DB8
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000006.00000002.223236076022.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544175 Sample: KLWsv.dll Startdate: 29/10/2024 Architecture: WINDOWS Score: 72 22 Multi AV Scanner detection for submitted file 2->22 24 PE file contains section with special chars 2->24 7 loaddll32.exe 1 2->7         started        process3 signatures4 30 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->30 32 Query firmware table information (likely to detect VMs) 7->32 34 Hides threads from debuggers 7->34 36 Switches to a custom stack to bypass stack traces 7->36 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 2 other processes 7->17 process5 signatures6 38 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->40 42 Hides threads from debuggers 10->42 19 rundll32.exe 13->19         started        process7 signatures8 26 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->26 28 Hides threads from debuggers 19->28
No contacted IP infos