Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Y7KU3yvGQ6.dll

Overview

General Information

Sample name:Y7KU3yvGQ6.dll
renamed because original name is a hash value
Original sample name:ed7c5857a2a61a69f73ca5f01c0f1c8c.dll
Analysis ID:1572153
MD5:ed7c5857a2a61a69f73ca5f01c0f1c8c
SHA1:ac4c87194f5b5b731c616bcc9873f8397796e686
SHA256:b3243d65c7b8bea56f75411c660afbc43e701b4cd453b47e61fb5a797a2e6c18
Tags:dlluser-abuse_ch
Infos:

Detection

Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Machine Learning detection for sample
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Entry point lies outside standard sections
One or more processes crash
PE file contains more sections than normal
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 7280 cmdline: loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7444 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7588 cmdline: rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7496 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 7844 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 2968 cmdline: rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept MD5: 889B99C52A60DD49227C5E485A016679)
      • WerFault.exe (PID: 6284 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 768 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-10T07:35:02.004970+010028335771Malware Command and Control Activity Detected192.168.2.1049755192.124.216.1480TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: Y7KU3yvGQ6.dllAvira: detected
Multi AV Scanner detection for submitted file
Source: Y7KU3yvGQ6.dllReversingLabs: Detection: 55%
Source: Y7KU3yvGQ6.dllVirustotal: Detection: 44%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for sample
Source: Y7KU3yvGQ6.dllJoe Sandbox ML: detected
Source: Y7KU3yvGQ6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: Y7KU3yvGQ6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2833577 - Severity 1 - ETPRO MALWARE Banload Variant CnC Activity : 192.168.2.10:49755 -> 192.124.216.14:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.124.216.14 80Jump to behavior
Source: global trafficHTTP traffic detected: POST /conta/index.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Host: 192.124.216.14Accept: text/html, */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownTCP traffic detected without corresponding DNS query: 192.124.216.14
Source: unknownHTTP traffic detected: POST /conta/index.php HTTP/1.0Connection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 0Host: 192.124.216.14Accept: text/html, */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Source: loaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://192.124.216.14/conta/index.phpU
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1539514545.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2127700203.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.indyproject.org/
Source: loaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://pastebin.com/raw/vn1EtvP0

System Summary

barindex
PE file contains section with special chars
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .#>*
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .:!0
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\MusterJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 768
Source: Y7KU3yvGQ6.dllStatic PE information: Number of sections : 12 > 10
Source: Y7KU3yvGQ6.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
Source: classification engineClassification label: mal96.evad.winDLL@13/5@0/1
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2968
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Aplicativo-Vaister
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\df2d954e-77ac-43c7-ae34-332c70152626Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
Source: Y7KU3yvGQ6.dllReversingLabs: Detection: 55%
Source: Y7KU3yvGQ6.dllVirustotal: Detection: 44%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 768
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayloadJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReportingJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationInterceptJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: magnification.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeWindow found: window name: TEditJump to behavior
Source: Y7KU3yvGQ6.dllStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: Y7KU3yvGQ6.dllStatic file information: File size 17234944 > 1048576
Source: Y7KU3yvGQ6.dllStatic PE information: Raw size of .:!0 is bigger than: 0x100000 < 0x106e400
Source: Y7KU3yvGQ6.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: initial sampleStatic PE information: section where entry point is pointing to: .:!0
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .didata
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .R6V
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .#>*
Source: Y7KU3yvGQ6.dllStatic PE information: section name: .:!0

Hooking and other Techniques for Hiding and Protection

barindex
Overwrites code with function prologues
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 7763BA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 77064D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 7707EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 755C8A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 755F0230 value: 8B FF 55 8B EC Jump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C30005 value: E9 8B 2F A4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 77672F90 value: E9 7A D0 5B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C40005 value: E9 2B BA 9F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 7763BA30 value: E9 DA 45 60 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C50008 value: E9 8B 8E A3 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 77688E90 value: E9 80 71 5C 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C70005 value: E9 8B 4D 3F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 77064D90 value: E9 7A B2 C0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C80005 value: E9 EB EB 3F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 7707EBF0 value: E9 1A 14 C0 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4C90005 value: E9 8B 8A 93 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 755C8A90 value: E9 7A 75 6C 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 4DB0005 value: E9 2B 02 84 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7496 base: 755F0230 value: E9 DA FD 7B 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 3F0005 value: E9 8B 2F 28 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 77672F90 value: E9 7A D0 D7 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 600005 value: E9 2B BA 03 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 7763BA30 value: E9 DA 45 FC 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 970008 value: E9 8B 8E D1 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 77688E90 value: E9 80 71 2E 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: CA0005 value: E9 8B 4D 3C 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 77064D90 value: E9 7A B2 C3 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: CB0005 value: E9 EB EB 3C 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 7707EBF0 value: E9 1A 14 C3 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: CC0005 value: E9 8B 8A 90 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 755C8A90 value: E9 7A 75 6F 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: CD0005 value: E9 2B 02 92 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 7844 base: 755F0230 value: E9 DA FD 6D 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 3430005 value: E9 8B 2F 24 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 77672F90 value: E9 7A D0 DB 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C10005 value: E9 2B BA A2 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 7763BA30 value: E9 DA 45 5D 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C20008 value: E9 8B 8E A6 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 77688E90 value: E9 80 71 59 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C40005 value: E9 8B 4D 42 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 77064D90 value: E9 7A B2 BD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C50005 value: E9 EB EB 42 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 7707EBF0 value: E9 1A 14 BD 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C60005 value: E9 8B 8A 96 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 755C8A90 value: E9 7A 75 69 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 4C70005 value: E9 2B 02 98 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2968 base: 755F0230 value: E9 DA FD 67 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4DF10B
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D148CF9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C4C6E1E
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C3D7F3A
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C32314A
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6C526720
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D11AB8D
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D385DA9
Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 6D36D673
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: vmci.sys
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.11.drBinary or memory string: VMware20,1
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.124.216.14 80Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1Jump to behavior
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		111
Process Injection		1
Masquerading		1
Credential API Hooking		121
Security Software Discovery		Remote Services1
Credential API Hooking		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Rundll32		Security Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Y7KU3yvGQ6.dll55%ReversingLabsWin32.Trojan.OusabanSpy
Y7KU3yvGQ6.dll44%VirustotalBrowse
Y7KU3yvGQ6.dll100%AviraHEUR/AGEN.1360814
Y7KU3yvGQ6.dll100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://192.124.216.14/conta/index.phpU0%Avira URL Cloudsafe
http://192.124.216.14/conta/index.php0%Avira URL Cloudsafe
http://www.indyproject.org/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://192.124.216.14/conta/index.phptrue
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://192.124.216.14/conta/index.phpUloaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://upx.sf.netAmcache.hve.11.drfalse
    		high
    http://www.indyproject.org/loaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000003.1539514545.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2127700203.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpfalse
    • Avira URL Cloud: safe
    		unknown
    https://pastebin.com/raw/vn1EtvP0loaddll32.exe, 00000000.00000002.3185185175.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.3185367194.000000006A0C1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2128374995.000000006A0C1000.00000020.00000001.01000000.00000003.sdmpfalse
      		high

      World Map of Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public IPs

      IPDomainCountryFlagASNASN NameMalicious
      192.124.216.14
      		unknownRussian Federation
      		15455EMBANK-ASRUtrue

      General Information

      Joe Sandbox version:41.0.0 Charoite
      Analysis ID:1572153
      Start date and time:2024-12-10 07:33:37 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 6m 55s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:16
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:Y7KU3yvGQ6.dll
      renamed because original name is a hash value
      Original Sample Name:ed7c5857a2a61a69f73ca5f01c0f1c8c.dll
      Detection:MAL
      Classification:mal96.evad.winDLL@13/5@0/1
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .dll
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.182.143.212, 13.107.246.63, 52.149.20.212, 20.190.177.147
      • Excluded domains from analysis (whitelisted): onedsblobprdcus15.centralus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      192.124.216.14Fatura931Pendente956.pdf761.msiGet hashmaliciousUnknownBrowse
      • 192.124.216.14/ana/index.php

      Domains

      No context

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      EMBANK-ASRUFatura931Pendente956.pdf761.msiGet hashmaliciousUnknownBrowse
      • 192.124.216.14
      https://marketing.edinburghairport.com/4QNA-A60M-5IWCT9-JVKO0-1/c.aspx?_externalContentRedirect=https://link.sbstck.com/redirect/43698733-83ea-4129-b836-e9d43d1ad5ed?j=eyJ1IjoiNDltdXZ6In0.CxolcWPhPGrBgw3rA0jd5lscc71sjQLfIOZNSPA48EYGet hashmaliciousUnknownBrowse
      • 192.124.216.133
      https://marketing.edinburghairport.com/4QNA-A60M-5IWCT9-JVKO0-1/c.aspx?_externalContentRedirect=https://link.sbstck.com/redirect/43698733-83ea-4129-b836-e9d43d1ad5ed?j=eyJ1IjoiNDltdXZ6In0.CxolcWPhPGrBgw3rA0jd5lscc71sjQLfIOZNSPA48EYGet hashmaliciousHTMLPhisherBrowse
      • 192.124.216.133

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_1f7ade6daf7a67fbdf25e38a686ea9d66069911_7522e4b5_af80d6e1-0556-4706-8e29-b67069f9efce\Report.wer

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):65536
      Entropy (8bit):0.9848683635639376
      Encrypted:false
      SSDEEP:192:AoCAeikOLO80BU/wjeTf3KZrbzuiF/Z24IO8dci:/Cvi1i3BU/wje2zuiF/Y4IO8dci
      MD5:43878DD00711C4B7C8C7AEB20B9298F2
      SHA1:E7D8C23B04F2AE122295790CD2660D3975637D7D
      SHA-256:6416AFC720C391540275C6D71ECD3D433EE3B0B14A1E982783C83569501ED9B9
      SHA-512:BDF85867651D61521A08AE555EBD488635B4046BA40BC2B1D63CE31B154519AD83C9D3EAE7BEC4FBCA9EF47369E0068411E26B99DB8A179453EC471B07076462
      Malicious:false
      Reputation:low
      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.2.8.6.1.0.6.9.7.8.1.1.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.2.8.6.1.0.8.9.7.8.1.2.5.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.f.8.0.d.6.e.1.-.0.5.5.6.-.4.7.0.6.-.8.e.2.9.-.b.6.7.0.6.9.f.9.e.f.c.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.c.c.c.4.0.9.-.2.2.7.2.-.4.6.5.3.-.b.e.8.6.-.a.5.d.4.e.a.c.e.4.e.b.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.9.8.-.0.0.0.1.-.0.0.1.3.-.a.2.3.a.-.2.3.9.7.c.d.4.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD31C.tmp.dmp

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:Mini DuMP crash report, 14 streams, Tue Dec 10 06:35:07 2024, 0x1205a4 type
      Category:dropped
      Size (bytes):45044
      Entropy (8bit):2.1007886533062896
      Encrypted:false
      SSDEEP:192:sxRTWrXYS77KO5H4e3LmdvzyL2I6DSfx3kMq:smF5H3bCvGL2I6akM
      MD5:C479BD6581A15A069C36452254099CC4
      SHA1:5A3A5FB20FF94F3E2BAA27FB85A39A9BB9F34E39
      SHA-256:730AAD92546AB9B0DB2882B83470B1C25EB4D4AE10DD36FE9242A4EA904FE3A6
      SHA-512:810425BE3181D21F8E5B52BB6DF6A575B4772D5D7A610F4C11E610EF52C2953FF378E342ED544F42D09CA917DE4288FAC3C0561D76E4A2FB4106F532E2187208
      Malicious:false
      Preview:MDMP..a..... .........Wg.........................................1..........T.......8...........T...............l.......................|...............................................................................eJ....... ......GenuineIntel............T.............Wg.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD540.tmp.WERInternalMetadata.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
      Category:dropped
      Size (bytes):8326
      Entropy (8bit):3.6988020049214336
      Encrypted:false
      SSDEEP:192:R6l7wVeJQL6G6YP66TugmfT4spr/89bHbUsf0e9tjm:R6lXJk6G6Yi6TugmfT45HbHfLn6
      MD5:C442D79F3F9269DAB2B248304B6647FB
      SHA1:D4581715CF6ECFFB1FD06289698ABD6EE57D3ABF
      SHA-256:33B675FBD5ED659F367CE5C3858182E661BA2AD17FAA01E300DFBC9621332050
      SHA-512:2B9DBFA9D1C9B08DA3812357D6BF3EBDF135D1E911EBCE439BA09643EBCAD5C0CC5A5FD35C6D8F3BB73C1A967D46844EAF80011C008A0C4D782A1ABC77D5A0FD
      Malicious:false
      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.6.8.<./.P.i.

      C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5AE.tmp.xml

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
      Category:dropped
      Size (bytes):4650
      Entropy (8bit):4.470486231171704
      Encrypted:false
      SSDEEP:48:cvIwWl8zs+Jg77aI9VKWpW8VYRYm8M4JCdPzFWVJ+q8/7SGScSkd:uIjf0I7Tr7VpJdVJrJ3kd
      MD5:4521295319D1B7A36035792A03AA9A4C
      SHA1:CA944DCAF91016277C74FE9D545A07E74D219EBA
      SHA-256:7683B85B37EA3B5D4E17EE380344898FEA61D6781D2E04FDEFA3C38E62B8689F
      SHA-512:D1CCC1D4580C39C066ADA89A360E13E260C8CC9AFE42FCF53EE9389EA83EB2863CF1CE5D9FAC217AB35B977619B4DCEF0098BB31442034849232CCADA38754E4
      Malicious:false
      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="624817" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

      C:\Windows\appcompat\Programs\Amcache.hve

      Download File
      Process:C:\Windows\SysWOW64\WerFault.exe
      File Type:MS Windows registry file, NT/2000 or above
      Category:dropped
      Size (bytes):1835008
      Entropy (8bit):4.296136627269415
      Encrypted:false
      SSDEEP:6144:v41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+ewmBMZJh1Vj/:A1/YCW2AoQ0NiIwwMHrVT
      MD5:408282D029CB952DA0356501FC54F0A3
      SHA1:744C32979772135AD2B43B086C3020BD38D548E8
      SHA-256:426F47BDE1D7C56285326AB16321FE2346559626985937260B821ABD0A32D1C1
      SHA-512:39F2ECEC4A324B94613E622A4642D525A6242336422FD8EA872534A0DAB01C1C00BD9AD85CD7FC706C8B593E94B4888F44FD8001248DEB82A99933EE5F69F576
      Malicious:false
      Preview:regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>"...J..............................................................................................................................................................................................................................................................................................................................................Ub..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):7.972921603246253
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:Y7KU3yvGQ6.dll
      File size:17'234'944 bytes
      MD5:ed7c5857a2a61a69f73ca5f01c0f1c8c
      SHA1:ac4c87194f5b5b731c616bcc9873f8397796e686
      SHA256:b3243d65c7b8bea56f75411c660afbc43e701b4cd453b47e61fb5a797a2e6c18
      SHA512:6dcb6580e388d3e33c835e778dad82472dbeecfd4e4cfb093ef4da9561de12131c7217bc2618d040946563d2738de098f16090ccc61d9d09bd29050b934fe733
      SSDEEP:393216:uwARThTHHFaR5gKCpzOXO/W5GGWVq/mBaW9PRtXmbbZ:fARlT8XCAXO/WMfc/mD7mbF
      TLSH:1507339A7DDB4091E4C108F4DB1B7BDB23F2961A4AC708397DC539C630E1FA6622B947
      File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

      File Icon

      Icon Hash:7ae282899bbab082

      Static PE Info

      General

      Entrypoint:0x34b66f4
      Entrypoint Section:.:!0
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, DLL, BYTES_REVERSED_HI
      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
      Time Stamp:0x675705E5 [Mon Dec 9 14:59:49 2024 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:5
      OS Version Minor:0
      File Version Major:5
      File Version Minor:0
      Subsystem Version Major:5
      Subsystem Version Minor:0
      Import Hash:66e4b3441c1028ee7f0c98948771803c

      Entrypoint Preview

      Instruction
      call 00007F3CC4C30E9Eh
      inc ecx
      mov ebx, A2164D22h
      dec ecx
      bswap ebx
      dec ecx
      sub esp, 00000004h
      inc ecx
      mov esi, dword ptr [esp]
      dec ecx
      sar ebx, 17h
      inc ebp
      mov edi, ebx
      dec edi
      lea ebx, dword ptr [ebx+edi*8+7A37760Fh]
      inc ecx
      xor esi, edx
      inc bp
      btc ebx, ebx
      dec ecx
      bts ebx, FFFFFFA2h
      inc bp
      btc ebx, edi
      rol esi, 1
      inc edx
      lea esi, dword ptr [esi+edi-68298774h]
      inc ecx
      movsx edi, di
      inc ebp
      movzx ecx, di
      dec ebp
      lea eax, dword ptr [edi+4F0A48B6h]
      xor esi, 36877B93h
      dec ebx
      lea eax, dword ptr [ecx+ecx+428CDF20h]
      inc ebp
      movsx esi, ax
      inc esi
      inc ecx
      push edx
      cdq
      inc ecx
      movzx ebx, al
      inc ecx
      xor bl, bl
      xor dword ptr [esp+edi*2-00008800h], esi
      inc ecx
      pop edx
      dec edx
      lea ecx, dword ptr [edi+esi*8-5A6073D1h]
      dec eax
      arpl si, si
      dec esp
      add ebp, esi
      cwd
      jmp 00007F3CC4B6C4DEh
      mov edi, 2BA81C05h
      jmp 00007F3CC4CE41F7h
      xor ecx, ebx
      bswap ecx
      shl dx, 006Ah
      sal dl, FFFFFF87h
      dec ecx
      ror ecx, 02h
      inc ecx
      sal ax, 004Fh
      lea edx, dword ptr [edx+edx*2-6EF0BE74h]
      cmovnb eax, edx
      xor ebx, ecx
      add edi, ecx
      cwde
      sar edx, 77h
      mov edx, dword ptr [ebp+edx*2-0000017Dh]
      add al, al

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x24343540xe2.:!0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x2fe5bd80x230.:!0
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x32d10000x4f8.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x22610000xf0.#>*
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x30521e40x1c0.:!0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x30a2040x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .itext0x30c0000x24d40x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .data0x30f0000x102800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .bss0x3200000x6fbc0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .idata0x3270000x3d520x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .didata0x32b0000xa9a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .edata0x32c0000xe20x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .rdata0x32d0000x440x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .R6V0x32e0000x1f322300x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .#>*0x22610000xcc00xe00cb6a4370d0f0ca6913354c77f94c88a7False0.050502232142857144data0.41212055563753786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .:!00x22620000x106e2600x106e4000a60ebea294551d19f091c7380ab69a1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .reloc0x32d10000x4f80x600e7ea81a6b93ce920adeaa4dea3e31913False0.4427083333333333data3.9922583785129406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

      Imports

      DLLImport
      oleaut32.dllSysFreeString
      advapi32.dllRegQueryValueExW
      user32.dllCharNextW
      kernel32.dllGetVersion
      kernel32.dllGetProcAddress
      user32.dllSetClassLongW
      gdi32.dllUnrealizeObject
      version.dllVerQueryValueW
      kernel32.dllGetVersionExW, GetVersion
      advapi32.dllRegUnLoadKeyW
      kernel32.dllSleep
      netapi32.dllNetApiBufferFree
      oleaut32.dllSafeArrayPtrOfIndex
      oleaut32.dllGetErrorInfo
      ole32.dllOleUninitialize
      shell32.dllShell_NotifyIconW
      comctl32.dllInitializeFlatSB
      user32.dllEnumDisplayMonitors
      msvcrt.dllmemset
      shell32.dllSHGetFolderPathW
      winspool.drvOpenPrinterW
      winspool.drvGetDefaultPrinterW
      wsock32.dllWSACleanup
      Magnification.dllMagSetImageScalingCallback
      kernel32.dllGetConsoleWindow
      kernel32.dllGetSystemTimeAsFileTime
      kernel32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

      Exports

      NameOrdinalAddress
      GetInstallDetailsPayload50x700c98
      SignalInitializeCrashReporting40x700c9c
      TMethodImplementationIntercept30x4643b0
      __dbk_fcall_wrapper20x410bb4
      dbkFCallWrapperAddr10x723634

      Network Behavior

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Dec 10, 2024 07:34:59.967338085 CET4975580192.168.2.10192.124.216.14
      Dec 10, 2024 07:35:00.086798906 CET8049755192.124.216.14192.168.2.10
      Dec 10, 2024 07:35:00.087058067 CET4975580192.168.2.10192.124.216.14
      Dec 10, 2024 07:35:00.087373972 CET4975580192.168.2.10192.124.216.14
      Dec 10, 2024 07:35:00.207566977 CET8049755192.124.216.14192.168.2.10
      Dec 10, 2024 07:35:02.004285097 CET8049755192.124.216.14192.168.2.10
      Dec 10, 2024 07:35:02.004970074 CET4975580192.168.2.10192.124.216.14
      Dec 10, 2024 07:35:02.124939919 CET8049755192.124.216.14192.168.2.10
      Dec 10, 2024 07:35:02.125040054 CET4975580192.168.2.10192.124.216.14

      HTTP Request Dependency Graph

      • 192.124.216.14

      HTTP Packets

      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
      0192.168.2.1049755192.124.216.14807844C:\Windows\SysWOW64\rundll32.exe
      TimestampBytes transferredDirectionData
      Dec 10, 2024 07:35:00.087373972 CET236OUTPOST /conta/index.php HTTP/1.0
      Connection: keep-alive
      Content-Type: application/x-www-form-urlencoded
      Content-Length: 0
      Host: 192.124.216.14
      Accept: text/html, */*
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
      Dec 10, 2024 07:35:02.004285097 CET203INHTTP/1.1 200 OK
      Date: Tue, 10 Dec 2024 06:35:01 GMT
      Server: Apache/2.4.41 (Ubuntu)
      Content-Length: 0
      Keep-Alive: timeout=5, max=100
      Connection: Keep-Alive
      Content-Type: text/html; charset=UTF-8


      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      High Level Behavior Distribution

      Click to dive into process behavior distribution

      Behavior

      Click to jump to process

      System Behavior

      General

      Target ID:0
      Start time:01:34:33
      Start date:10/12/2024
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll"
      Imagebase:0xaa0000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:1
      Start time:01:34:33
      Start date:10/12/2024
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff620390000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:3
      Start time:01:34:33
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
      Imagebase:0xd70000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:4
      Start time:01:34:33
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,GetInstallDetailsPayload
      Imagebase:0xd60000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:5
      Start time:01:34:33
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\Y7KU3yvGQ6.dll",#1
      Imagebase:0xd60000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:false

      General

      Target ID:6
      Start time:01:34:37
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,SignalInitializeCrashReporting
      Imagebase:0xd60000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:false

      General

      Target ID:7
      Start time:01:34:40
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe C:\Users\user\Desktop\Y7KU3yvGQ6.dll,TMethodImplementationIntercept
      Imagebase:0xd60000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Borland Delphi
      Reputation:high
      Has exited:true

      General

      Target ID:11
      Start time:01:35:06
      Start date:10/12/2024
      Path:C:\Windows\SysWOW64\WerFault.exe
      Wow64 process (32bit):true
      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 768
      Imagebase:0x850000
      File size:483'680 bytes
      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Disassembly

      No disassembly