Edit tour

Windows Analysis Report
KLWsv.dll

Overview

General Information

Sample name:	KLWsv.dll
Analysis ID:	1544175
MD5:	102bcd38e265b5ab30ea24a798b76d27
SHA1:	2fb9002e810ddf895610f5d46716d9ac76a9660e
SHA256:	2059cd1e58c75266c997315777dbe2bad3e65e9811b101ae74d9fdf2321a3be6
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Hides threads from debuggers

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

PE file contains more sections than normal

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64native

loaddll32.exe (PID: 5568 cmdline: loaddll32.exe "C:\Users\user\Desktop\KLWsv.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cmd.exe (PID: 836 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7384 cmdline: rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4228 cmdline: rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 5968 cmdline: rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2752 cmdline: rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: KLWsv.dll

ReversingLabs: Detection: 66%

Source: KLWsv.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: KLWsv.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

System Summary

PE file contains section with special chars

Source: KLWsv.dll	Static PE information: section name: .nv+
Source: KLWsv.dll	Static PE information: section name: .[sg
Source: KLWsv.dll	Static PE information: section name: .8E*
Source: KLWsv.dll	Static PE information: section name: .A~F
Source: KLWsv.dll	Static PE information: section name: .{oQ
Source: KLWsv.dll	Static PE information: section name: .%".

Source: KLWsv.dll

Static PE information: Number of sections : 16 > 10

Source: KLWsv.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal72.evad.winDLL@12/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:304:WilStaging_02

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose

Source: KLWsv.dll

ReversingLabs: Detection: 66%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\KLWsv.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: KLWsv.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: KLWsv.dll

Static file information: File size 32656384 > 1048576

Source: KLWsv.dll

Static PE information: Raw size of .%". is bigger than: 0x100000 < 0x1f08600

Source: KLWsv.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: initial sample

Static PE information: section where entry point is pointing to: .%".

Source: KLWsv.dll	Static PE information: section name: .didata
Source: KLWsv.dll	Static PE information: section name: .nv+
Source: KLWsv.dll	Static PE information: section name: .[sg
Source: KLWsv.dll	Static PE information: section name: .8E*
Source: KLWsv.dll	Static PE information: section name: .A~F
Source: KLWsv.dll	Static PE information: section name: .{oQ
Source: KLWsv.dll	Static PE information: section name: .%".

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5568 base: 3F0005 value: E9 AB 2E D3 76	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5568 base: 77122EB0 value: E9 5A D1 2C 89	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5568 base: 9A0007 value: E9 6B DC 7B 76	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 5568 base: 7715DC70 value: E9 9E 23 84 89	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4228 base: 2CA0005 value: E9 AB 2E 48 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4228 base: 77122EB0 value: E9 5A D1 B7 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4228 base: 2CB0007 value: E9 6B DC 4A 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 4228 base: 7715DC70 value: E9 9E 23 B5 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7384 base: 25C0005 value: E9 AB 2E B6 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7384 base: 77122EB0 value: E9 5A D1 49 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7384 base: 4010007 value: E9 6B DC 14 73	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7384 base: 7715DC70 value: E9 9E 23 EB 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5968 base: 2D60005 value: E9 AB 2E 3C 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5968 base: 77122EB0 value: E9 5A D1 C3 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5968 base: 2D70007 value: E9 6B DC 3E 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5968 base: 7715DC70 value: E9 9E 23 C1 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2752 base: 2880005 value: E9 AB 2E 8A 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2752 base: 77122EB0 value: E9 5A D1 75 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2752 base: 43B0007 value: E9 6B DC DA 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 2752 base: 7715DC70 value: E9 9E 23 25 8D	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\loaddll32.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	System information queried: FirmwareTableInformation			Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D04A216
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D040402
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CFAA321
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CDD35F6
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CDE591B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D202049
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CFDBB6E
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6B375D6B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CED523E
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D0860DF
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CDF1A06
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CE142BC
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CE2D6A5
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D0A816B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6B8CD551
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D1E938B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CF8809B
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D004EBA
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6CE0F2C8
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6D06EDA4
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6B8DD7C1
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6AC8BF01
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6AD1EC80
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6A818F63
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6A845437
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6AC95790
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 698A5E3A
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6A887F4C
Source: C:\Windows\System32\loaddll32.exe	API/Special instruction interceptor: Address: 6AB49DB8

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rundll32.exe, 00000006.00000002.223236076022.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	21 Virtualization/Sandbox Evasion	1 Credential API Hooking	41 Security Software Discovery	Remote Services	1 Credential API Hooking	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	11 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KLWsv.dll	67%	ReversingLabs	Win32.Spyware.Casbaneiro

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544175
Start date and time:	2024-10-29 00:03:51 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	KLWsv.dll
Detection:	MAL
Classification:	mal72.evad.winDLL@12/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: KLWsv.dll

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.991605624820092
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	KLWsv.dll
File size:	32'656'384 bytes
MD5:	102bcd38e265b5ab30ea24a798b76d27
SHA1:	2fb9002e810ddf895610f5d46716d9ac76a9660e
SHA256:	2059cd1e58c75266c997315777dbe2bad3e65e9811b101ae74d9fdf2321a3be6
SHA512:	30534b00b98124f753160c2c2acb0bff157b613ecac0254642a114f3969913a4c3e83c10e0d05ac8163f6f2d7d20db18e55b37f46b56e94fc6b3ecc5cbc1a73d
SSDEEP:	786432:t2C19fa2lX2GK9/NKQmVtsrGjhbgDQ6jn:BlX2TAG6NsDQ6b
TLSH:	5967339F3ECB01E9ED821CB0DB2777F633F26F6149D648396681B845A4B2FB5112A443
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........PE..L......f...........!.....Lr.........T}.......`r...@.......................................@................................

File Icon


Icon Hash:	1f7949c9c9693907

Static PE Info

General

Entrypoint:	0x5db7d54
Entrypoint Section:	.%".
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66FCC8E7 [Wed Oct 2 04:15:35 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5679d8e241bca605be7b4e83bd6d01eb

Entrypoint Preview

Instruction
push ebx
mov ebx, BBBC9AAAh
not bx
pushfd
shl bl, 00000002h
call 00007F9F9F8BF3A0h
neg ecx
lea edx, dword ptr [eax-07DA665Eh]
sub eax, 68A9083Dh
jne 00007F9FA11E578Bh
push E83D9F07h
dec ecx
mov esp, ecx
inc ecx
mov edx, 068509B5h
dec edx
lea edi, dword ptr [081E6B8Bh+edx*4]
inc ecx
pop edi
inc ecx
pop ecx
dec edx
lea edx, dword ptr [edi+edx-28630B6Ah]
movzx eax, di
inc ecx
pop ebp
movzx ecx, dx
jmp 00007F9F9F33A18Dh
popad
lodsd
sub cl, ah
jp 00007F9FA105671Ch
mov al, D8h
jl 00007F9FA1056718h
dec ebx
arpl cx, bp
aas
jl 00007F9FA1056718h
dec ebx
add ecx, dword ptr [ecx]
scasd
sub al, D6h
dec ebx
jc 00007F9FA10567AAh
or dword ptr [esi+edx*8], ecx
dec ebx
stosb
mov eax, 99AF5F03h
lodsb
js 00007F9FA10566D2h
shl esi, 3Fh
jmp 00007FA0010692A0h
scasb
sbb al, 2Ch
imul ecx, edi, EAh
in al, 14h
add dword ptr [eax-2Eh], 1149C602h
jmp 00007F9FA1056796h
inc eax
les esi, fword ptr [eax+7Ch]
pop es
in al, F2h
fld dword ptr [ecx+edx*2-6Bh]
cld
retf 0F64h
xor byte ptr [ebx-48h], FFFFFF9Ah
idiv byte ptr [esi-36B08630h]
insd
and dl, dh
in al, FBh
aaa
shr dword ptr [edi-6Fh], cl
call 00007FA0203711A5h
fstp dword ptr [ebx+18D7B5AAh]
std
mov byte ptr [000000DAh], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x3c8a4b8	0x2e7	.%".
IMAGE_DIRECTORY_ENTRY_IMPORT	0x58579b4	0x190	.%".
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5b82000	0x1b7ec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5b9e000	0x744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c78000	0x9c	.{oQ
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x5b6777c	0x200	.%".
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x71ce5c	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x71e000	0x7a0c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x726000	0x2b4e0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x752000	0x8be0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x75b000	0x452c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x760000	0xf6a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x761000	0x2e7	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rdata	0x762000	0x45	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.nv+	0x763000	0x1a0e60f	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.[sg	0x2172000	0xb4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.8E*	0x2173000	0x1543820	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.A~F	0x36b7000	0x5c0fe2	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.{oQ	0x3c78000	0xb4	0x200	856c746239d71f2bf15230b482b5740e	False	0.216796875	data	1.429248955326029	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.%".	0x3c79000	0x1f08600	0x1f08600	48007b3da1b522042c7f4bc6e647ac72	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5b82000	0x1b7ec	0x1b800	37b32af04b63479c9a2e1febb5b59612	False	0.76513671875	data	7.210721657588311	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5b9e000	0x744	0x800	1741c37f44f50dd72c8653918281f306	False	0.4658203125	data	4.327041928488368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5b82324	0x1628	Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colors	English	United States	0.5627644569816643
RT_ICON	0x5b8394c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.6388592750533049
RT_ICON	0x5b847f4	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.7536101083032491
RT_ICON	0x5b8509c	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6474654377880185
RT_ICON	0x5b85764	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5223988439306358
RT_ICON	0x5b85ccc	0xead1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000249530051736
RT_ICON	0x5b947a0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.40139348134152103
RT_ICON	0x5b989c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.46856846473029046
RT_ICON	0x5b9af70	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5349437148217636
RT_ICON	0x5b9c018	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6221311475409836
RT_ICON	0x5b9c9a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.724290780141844
RT_GROUP_ICON	0x5b9ce08	0xa0	data	English	United States	0.65625
RT_VERSION	0x5b9cea8	0x234	data	English	United States	0.5053191489361702
RT_MANIFEST	0x5b9d0dc	0x710	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.4032079646017699

Imports

DLL	Import
winmm.dll	timeGetTime
wininet.dll	InternetGetConnectedState
comctl32.dll	FlatSB_SetScrollInfo
shell32.dll	SHGetMalloc
user32.dll	CopyImage
version.dll	GetFileVersionInfoSizeW
URLMON.DLL	HlinkNavigateString
oleaut32.dll	SafeArrayPutElement
netapi32.dll	NetWkstaGetInfo
msvcrt.dll	memcpy
advapi32.dll	RegSetValueExW
winhttp.dll	WinHttpGetIEProxyConfigForCurrentUser
kernel32.dll	GetVersion, GetVersionExW
SHFolder.dll	SHGetFolderPathW
wsock32.dll	gethostbyaddr
gdiplus.dll	GdiplusShutdown
ole32.dll	IsAccelerator
gdi32.dll	AddFontMemResourceEx
Magnification.dll	MagSetWindowSource

Exports

Name	Ordinal	Address
QStringClose	26	0xb0a554
QStringCmp	25	0xb0a558
QStringCreate	24	0xb0a55c
QStringGet	23	0xb0a560
QStringSet	22	0xb0a564
WebUIClose	8	0xb0a59c
WebUICreate	7	0xb0a5a0
WebUIResourceData	6	0xb0a5a4
WebUIResourceEnum	5	0xb0a5a8
WebUIResourceRegister	4	0xb0a5ac
WebUIResourceUnregister	3	0xb0a5b0
WebkitClose	21	0xb0a568
WebkitCreate	20	0xb0a56c
WebkitExecuteJavaScript	19	0xb0a570
WebkitGetWindow	18	0xb0a574
WebkitJavaScriptCallback	17	0xb0a578
WebkitLoadFinished	16	0xb0a57c
WebkitNavigate	15	0xb0a580
WebkitRepaint	14	0xb0a584
WebkitSetALTignore	13	0xb0a588
WebkitSetDrop	12	0xb0a58c
WebkitSetGeometry	11	0xb0a590
WebkitSetTransparent	10	0xb0a594
WebkitSetVisible	9	0xb0a598
__dbk_fcall_wrapper	2	0x411838
dbkFCallWrapperAddr	1	0xb55648

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 5568, Parent PID: 4432

General

Target ID:	0
Start time:	19:05:57
Start date:	28/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\KLWsv.dll"
Imagebase:	0xba0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6420, Parent PID: 5568

General

Target ID:	1
Start time:	19:05:57
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ff610000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 836, Parent PID: 5568

General

Target ID:	2
Start time:	19:05:57
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Imagebase:	0x290000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 4228, Parent PID: 5568

General

Target ID:	3
Start time:	19:05:57
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringClose
Imagebase:	0x10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 7384, Parent PID: 836

General

Target ID:	4
Start time:	19:05:57
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\KLWsv.dll",#1
Imagebase:	0x10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 5968, Parent PID: 5568

General

Target ID:	6
Start time:	19:06:00
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCmp
Imagebase:	0x10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: rundll32.exePID: 2752, Parent PID: 5568

General

Target ID:	7
Start time:	19:06:03
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\KLWsv.dll,QStringCreate
Imagebase:	0x10000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KLWsv.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 5568, Parent PID: 4432

General

Chronological Activities

Analysis Process: conhost.exePID: 6420, Parent PID: 5568

General

Chronological Activities

Analysis Process: cmd.exePID: 836, Parent PID: 5568

General

Chronological Activities

Analysis Process: rundll32.exePID: 4228, Parent PID: 5568

General

Windows Analysis Report
KLWsv.dll