Edit tour

Windows Analysis Report
250427-ve97pavsas.bin.dll

Overview

General Information

Sample name:250427-ve97pavsas.bin.dll
Analysis ID:1675549
MD5:d949604205db41a0391ded5215d70806
SHA1:f979238f9b8f5045e63424042c0a849b24a0e1fd
SHA256:1e8c98e08eda259d4ace14dd657375c8c1ce9c6a7c2076bcb54c3cabcd33e741
Tags:user-UNP4CK
Infos:

Detection

Score:64
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Creates an undocumented autostart registry key
Uses dynamic DNS services
Creates a process in suspended mode (likely to inject code)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • loaddll32.exe (PID: 7816 cmdline: loaddll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7868 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 7884 cmdline: rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: 250427-ve97pavsas.bin.dllAvira: detected
Source: 250427-ve97pavsas.bin.dllVirustotal: Detection: 80%Perma Link
Source: 250427-ve97pavsas.bin.dllReversingLabs: Detection: 75%
Source: 250427-ve97pavsas.bin.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking

barindex
Source: unknownDNS query: name: plunix.3322.org
Source: unknownDNS query: name: w1802.3322.org
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: w1802.3322.org
Source: global trafficDNS traffic detected: DNS query: plunix.3322.org
Source: loaddll32.exe, 00000000.00000002.2473256946.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2473256946.00000000008E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/1.exe
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/1.exe#Q
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/1.exe=Q
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/1.exeSysy
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/1.exerV
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exe
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exeMV
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exeUX
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exe_XK
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exeempy
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exeuCS
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/2.exezX(
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/3.exe
Source: loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/3.exeC:
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/3.exekX_
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/3.exepXR
Source: loaddll32.exe, 00000000.00000002.2473256946.00000000008E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://plunix.3322.org/y
Source: 250427-ve97pavsas.bin.dllBinary or memory string: OriginalFilename vs 250427-ve97pavsas.bin.dll
Source: 250427-ve97pavsas.bin.dllStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engineClassification label: mal64.troj.winDLL@6/0@24/0
Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\DLL_PROCESS_FALSE_1802
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
Source: 250427-ve97pavsas.bin.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1
Source: 250427-ve97pavsas.bin.dllVirustotal: Detection: 80%
Source: 250427-ve97pavsas.bin.dllReversingLabs: Detection: 75%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll"
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mfc42.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior

Boot Survival

barindex
Source: C:\Windows\System32\loaddll32.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon UserinitJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
Source: loaddll32.exe, 00000000.00000002.2473256946.0000000000877000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$$
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local System1
Non-Application Layer Protocol
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder
1
DLL Side-Loading
1
Virtualization/Sandbox Evasion
LSASS Memory1
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder
11
Process Injection
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675549 Sample: 250427-ve97pavsas.bin.dll Startdate: 27/04/2025 Architecture: WINDOWS Score: 64 17 w1802.3322.org 2->17 19 plunix.3322.org 2->19 21 Antivirus / Scanner detection for submitted sample 2->21 23 Multi AV Scanner detection for submitted file 2->23 8 loaddll32.exe 1 7 2->8         started        signatures3 25 Uses dynamic DNS services 19->25 process4 signatures5 27 Creates an undocumented autostart registry key 8->27 11 cmd.exe 1 8->11         started        13 conhost.exe 8->13         started        process6 process7 15 rundll32.exe 11->15         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
250427-ve97pavsas.bin.dll80%VirustotalBrowse
250427-ve97pavsas.bin.dll75%ReversingLabsWin32.Trojan.Kerproc
250427-ve97pavsas.bin.dll100%AviraTR/Downloader.Gen
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://plunix.3322.org/2.exezX(0%Avira URL Cloudsafe
http://plunix.3322.org/2.exe_XK0%Avira URL Cloudsafe
http://plunix.3322.org/2.exe0%Avira URL Cloudsafe
http://plunix.3322.org/3.exekX_0%Avira URL Cloudsafe
http://plunix.3322.org/3.exeC:0%Avira URL Cloudsafe
http://plunix.3322.org/0%Avira URL Cloudsafe
http://plunix.3322.org/2.exeUX0%Avira URL Cloudsafe
http://plunix.3322.org/2.exeMV0%Avira URL Cloudsafe
http://plunix.3322.org/3.exepXR0%Avira URL Cloudsafe
http://plunix.3322.org/2.exeuCS0%Avira URL Cloudsafe
http://plunix.3322.org/1.exerV0%Avira URL Cloudsafe
http://plunix.3322.org/1.exeSysy0%Avira URL Cloudsafe
http://plunix.3322.org/1.exe0%Avira URL Cloudsafe
http://plunix.3322.org/1.exe#Q0%Avira URL Cloudsafe
http://plunix.3322.org/y0%Avira URL Cloudsafe
http://plunix.3322.org/3.exe0%Avira URL Cloudsafe
http://plunix.3322.org/2.exeempy0%Avira URL Cloudsafe
http://plunix.3322.org/1.exe=Q0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
plunix.3322.org
unknown
unknowntrue
    unknown
    w1802.3322.org
    unknown
    unknowntrue
      unknown
      NameSourceMaliciousAntivirus DetectionReputation
      http://plunix.3322.org/loaddll32.exe, 00000000.00000002.2473256946.00000000008E5000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2473256946.00000000008E2000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exeloaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exeUXloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exezX(loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/3.exepXRloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exeMVloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exeuCSloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exe_XKloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/3.exekX_loaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/3.exeC:loaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/1.exerVloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/1.exeSysyloaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/1.exeloaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/yloaddll32.exe, 00000000.00000002.2473256946.00000000008E5000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/3.exeloaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/1.exe#Qloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/2.exeempyloaddll32.exe, 00000000.00000002.2473496429.0000000000D20000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      http://plunix.3322.org/1.exe=Qloaddll32.exe, 00000000.00000002.2473256946.0000000000893000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      No contacted IP infos
      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1675549
      Start date and time:2025-04-27 19:05:43 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 52s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Run name:Run with higher sleep bypass
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:250427-ve97pavsas.bin.dll
      Detection:MAL
      Classification:mal64.troj.winDLL@6/0@24/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .dll
      • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
      • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 184.85.78.223, 20.109.210.53
      • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryValueKey calls found.
      No simulations
      No context
      No context
      No context
      No context
      No context
      No created / dropped files found
      File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
      Entropy (8bit):6.019264494741159
      TrID:
      • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
      • Generic Win/DOS Executable (2004/3) 0.20%
      • DOS Executable Generic (2002/1) 0.20%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:250427-ve97pavsas.bin.dll
      File size:26'624 bytes
      MD5:d949604205db41a0391ded5215d70806
      SHA1:f979238f9b8f5045e63424042c0a849b24a0e1fd
      SHA256:1e8c98e08eda259d4ace14dd657375c8c1ce9c6a7c2076bcb54c3cabcd33e741
      SHA512:e46b55c98dc2ebc6a2d4783ea831d35f99a2e94f566d7308124eb0bbee729b37524ab4a0ea53c294f2d1ee5aa87dbd8248dc39694b9d21206b44ea74a9df9f7a
      SSDEEP:384:keyKDQgcSnTuIJKRQ8qgnS/l4yJNYQHYYuR11dYaPFUFl4IzgvwEvJ3Tte:pDv/C8xgnS/lTHYYuR1TFF/IMIERTt
      TLSH:69C22B1277C109E4DB2E1A30749F177A897AA6A106E519C3AF72EC789437377E637103
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ud..1...1...1...1...2...S...;...^...3.......3...^...5...^...3...1...z....#..2....#..5.......0....%..0...Rich1..................
      Icon Hash:7ae282899bbab082
      Entrypoint:0x1000540b
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x10000000
      Subsystem:windows gui
      Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
      DLL Characteristics:
      Time Stamp:0x48E581C7 [Fri Oct 3 02:21:59 2008 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:d20a71558bf51c0f03e653a52a39389d
      Instruction
      push ebp
      mov ebp, esp
      push ebx
      mov ebx, dword ptr [ebp+08h]
      push esi
      mov esi, dword ptr [ebp+0Ch]
      push edi
      mov edi, dword ptr [ebp+10h]
      test esi, esi
      jne 00007F7310E0C97Bh
      cmp dword ptr [1000758Ch], 00000000h
      jmp 00007F7310E0C998h
      cmp esi, 01h
      je 00007F7310E0C977h
      cmp esi, 02h
      jne 00007F7310E0C994h
      mov eax, dword ptr [10007010h]
      test eax, eax
      je 00007F7310E0C97Bh
      push edi
      push esi
      push ebx
      call eax
      test eax, eax
      je 00007F7310E0C97Eh
      push edi
      push esi
      push ebx
      call 00007F7310E0C88Ah
      test eax, eax
      jne 00007F7310E0C976h
      xor eax, eax
      jmp 00007F7310E0C9C0h
      push edi
      push esi
      push ebx
      call 00007F7310E0C59Ah
      cmp esi, 01h
      mov dword ptr [ebp+0Ch], eax
      jne 00007F7310E0C97Eh
      test eax, eax
      jne 00007F7310E0C9A9h
      push edi
      push eax
      push ebx
      call 00007F7310E0C866h
      test esi, esi
      je 00007F7310E0C977h
      cmp esi, 03h
      jne 00007F7310E0C998h
      push edi
      push esi
      push ebx
      call 00007F7310E0C855h
      test eax, eax
      jne 00007F7310E0C975h
      and dword ptr [ebp+0Ch], eax
      cmp dword ptr [ebp+0Ch], 00000000h
      je 00007F7310E0C983h
      mov eax, dword ptr [10007010h]
      test eax, eax
      je 00007F7310E0C97Ah
      push edi
      push esi
      push ebx
      call eax
      mov dword ptr [ebp+0Ch], eax
      mov eax, dword ptr [ebp+0Ch]
      pop edi
      pop esi
      pop ebx
      pop ebp
      retn 000Ch
      jmp dword ptr [100060C8h]
      jmp dword ptr [100060C4h]
      jmp dword ptr [100060BCh]
      jmp dword ptr [10006140h]
      jmp dword ptr [10006138h]
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      int3
      push 00005118h
      Programming Language:
      • [C++] VS98 (6.0) SP6 build 8804
      • [EXP] VC++ 6.0 SP5 build 8804
      • [LNK] VC++ 6.0 SP5 build 8804
      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x69100x32.rdata
      IMAGE_DIRECTORY_ENTRY_IMPORT0x65000xb4.rdata
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x360.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x90000x3e4.reloc
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IAT0x60000x148.rdata
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x48460x4a007bd375e1f4d439122ee954fcab3dfb40False0.49588260135135137data6.277053745313518IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      .rdata0x60000x9420xa006263914dc9bd0c8851e0f24f038d5643False0.410546875data4.125311615838973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .data0x70000x59c0x60016b7682d25b40450369f3e1850a5034cFalse0.607421875Matlab v4 mat-file (little endian) \310\360, numeric, rows 0, columns 05.255872438338646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
      .rsrc0x80000x3600x400ae6db61c5104be57ac818c5e0f0bd2d9False0.380859375data2.62885010204959IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
      .reloc0x90000x4a00x60093354129e6f53d8891fec21e78579fc0False0.58984375data4.912469921422045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
      NameRVASizeTypeLanguageCountryZLIB Complexity
      RT_STRING0x83180x44dataChineseChina0.7794117647058824
      RT_VERSION0x80a00x274dataChineseChina0.46496815286624205
      DLLImport
      MFC42.DLL
      MSVCRT.dll_adjust_fdiv, _initterm, free, ?terminate@@YAXXZ, _except_handler3, strstr, malloc, strchr, atoi, rand, strncpy, __CxxFrameHandler, time, sprintf, srand
      KERNEL32.dllGetVersionExA, GetTempPathA, GetSystemDirectoryA, CreateMutexA, WinExec, ExitThread, CreateThread, GetLastError, Sleep
      USER32.dllwsprintfA
      ADVAPI32.dllRegQueryValueExA, RegCloseKey, RegOpenKeyExA, RegSetValueExA
      SHELL32.dllShellExecuteA
      urlmon.dllURLDownloadToFileA
      WS2_32.dllsetsockopt, select, closesocket, recv, send, WSAStartup, connect, inet_addr, htons, socket, inet_ntoa, gethostbyname, __WSAFDIsSet
      DescriptionData
      Comments
      CompanyName
      FileDescription
      FileVersion
      InternalName
      LegalCopyright
      LegalTrademarks
      OriginalFilename
      PrivateBuild
      ProductName
      ProductVersion
      SpecialBuild
      Translation0x0804 0x04b0
      Language of compilation systemCountry where language is spokenMap
      ChineseChina

      Download Network PCAP: filteredfull

      TimestampSource PortDest PortSource IPDest IP
      Apr 27, 2025 19:06:32.623028040 CEST5814753192.168.2.51.1.1.1
      Apr 27, 2025 19:06:32.769664049 CEST6089053192.168.2.51.1.1.1
      Apr 27, 2025 19:06:32.938177109 CEST53581471.1.1.1192.168.2.5
      Apr 27, 2025 19:06:33.068926096 CEST53608901.1.1.1192.168.2.5
      Apr 27, 2025 19:06:37.949034929 CEST5472653192.168.2.51.1.1.1
      Apr 27, 2025 19:06:38.260787964 CEST53547261.1.1.1192.168.2.5
      Apr 27, 2025 19:06:43.297544003 CEST5225553192.168.2.51.1.1.1
      Apr 27, 2025 19:06:43.607287884 CEST53522551.1.1.1192.168.2.5
      Apr 27, 2025 19:06:48.621123075 CEST6236553192.168.2.51.1.1.1
      Apr 27, 2025 19:06:48.922725916 CEST53623651.1.1.1192.168.2.5
      Apr 27, 2025 19:06:53.982332945 CEST5153953192.168.2.51.1.1.1
      Apr 27, 2025 19:06:54.132534981 CEST53515391.1.1.1192.168.2.5
      Apr 27, 2025 19:06:59.308096886 CEST6249153192.168.2.51.1.1.1
      Apr 27, 2025 19:06:59.456839085 CEST53624911.1.1.1192.168.2.5
      Apr 27, 2025 19:07:04.471088886 CEST5395453192.168.2.51.1.1.1
      Apr 27, 2025 19:07:04.617582083 CEST53539541.1.1.1192.168.2.5
      Apr 27, 2025 19:07:09.729707956 CEST5909853192.168.2.51.1.1.1
      Apr 27, 2025 19:07:09.879362106 CEST53590981.1.1.1192.168.2.5
      Apr 27, 2025 19:07:14.886003017 CEST6317253192.168.2.51.1.1.1
      Apr 27, 2025 19:07:15.052705050 CEST53631721.1.1.1192.168.2.5
      Apr 27, 2025 19:07:20.057915926 CEST5222853192.168.2.51.1.1.1
      Apr 27, 2025 19:07:20.369846106 CEST53522281.1.1.1192.168.2.5
      Apr 27, 2025 19:07:25.390296936 CEST6542353192.168.2.51.1.1.1
      Apr 27, 2025 19:07:25.552836895 CEST53654231.1.1.1192.168.2.5
      Apr 27, 2025 19:07:30.559889078 CEST5545553192.168.2.51.1.1.1
      Apr 27, 2025 19:07:30.704516888 CEST53554551.1.1.1192.168.2.5
      Apr 27, 2025 19:07:35.715038061 CEST5583953192.168.2.51.1.1.1
      Apr 27, 2025 19:07:36.008804083 CEST53558391.1.1.1192.168.2.5
      Apr 27, 2025 19:07:41.011472940 CEST6501453192.168.2.51.1.1.1
      Apr 27, 2025 19:07:41.162478924 CEST53650141.1.1.1192.168.2.5
      Apr 27, 2025 19:07:46.172811031 CEST6397153192.168.2.51.1.1.1
      Apr 27, 2025 19:07:46.468578100 CEST53639711.1.1.1192.168.2.5
      Apr 27, 2025 19:07:51.495846033 CEST5110653192.168.2.51.1.1.1
      Apr 27, 2025 19:07:51.789588928 CEST53511061.1.1.1192.168.2.5
      Apr 27, 2025 19:07:56.792870998 CEST5280053192.168.2.51.1.1.1
      Apr 27, 2025 19:07:56.934115887 CEST53528001.1.1.1192.168.2.5
      Apr 27, 2025 19:08:01.949115038 CEST5620353192.168.2.51.1.1.1
      Apr 27, 2025 19:08:02.105421066 CEST53562031.1.1.1192.168.2.5
      Apr 27, 2025 19:08:07.154072046 CEST5465253192.168.2.51.1.1.1
      Apr 27, 2025 19:08:07.303347111 CEST53546521.1.1.1192.168.2.5
      Apr 27, 2025 19:08:12.309233904 CEST5112153192.168.2.51.1.1.1
      Apr 27, 2025 19:08:12.449671984 CEST53511211.1.1.1192.168.2.5
      Apr 27, 2025 19:08:17.464756012 CEST6047153192.168.2.51.1.1.1
      Apr 27, 2025 19:08:17.612675905 CEST53604711.1.1.1192.168.2.5
      Apr 27, 2025 19:08:22.620681047 CEST5332453192.168.2.51.1.1.1
      Apr 27, 2025 19:08:22.940134048 CEST53533241.1.1.1192.168.2.5
      Apr 27, 2025 19:08:27.949099064 CEST5542753192.168.2.51.1.1.1
      Apr 27, 2025 19:08:28.120117903 CEST53554271.1.1.1192.168.2.5
      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
      Apr 27, 2025 19:06:32.623028040 CEST192.168.2.51.1.1.10x2b29Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:32.769664049 CEST192.168.2.51.1.1.10x5aeaStandard query (0)plunix.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:37.949034929 CEST192.168.2.51.1.1.10x84ebStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:43.297544003 CEST192.168.2.51.1.1.10xe21eStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:48.621123075 CEST192.168.2.51.1.1.10x810Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:53.982332945 CEST192.168.2.51.1.1.10x577fStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:06:59.308096886 CEST192.168.2.51.1.1.10x35d9Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:04.471088886 CEST192.168.2.51.1.1.10xa957Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:09.729707956 CEST192.168.2.51.1.1.10xc23eStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:14.886003017 CEST192.168.2.51.1.1.10x5739Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:20.057915926 CEST192.168.2.51.1.1.10x96c3Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:25.390296936 CEST192.168.2.51.1.1.10x29c4Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:30.559889078 CEST192.168.2.51.1.1.10xca77Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:35.715038061 CEST192.168.2.51.1.1.10xfa30Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:41.011472940 CEST192.168.2.51.1.1.10xe892Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:46.172811031 CEST192.168.2.51.1.1.10xa608Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:51.495846033 CEST192.168.2.51.1.1.10xc71bStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:07:56.792870998 CEST192.168.2.51.1.1.10x3e17Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:01.949115038 CEST192.168.2.51.1.1.10x21d6Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:07.154072046 CEST192.168.2.51.1.1.10x6a9bStandard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:12.309233904 CEST192.168.2.51.1.1.10x14a6Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:17.464756012 CEST192.168.2.51.1.1.10x1e57Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:22.620681047 CEST192.168.2.51.1.1.10x87d3Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      Apr 27, 2025 19:08:27.949099064 CEST192.168.2.51.1.1.10xda00Standard query (0)w1802.3322.orgA (IP address)IN (0x0001)false
      050100150s020406080100

      Click to jump to process

      050100150s0.0051015MB

      Click to jump to process

      • File
      • Registry

      Click to dive into process behavior distribution

      Target ID:0
      Start time:13:06:31
      Start date:27/04/2025
      Path:C:\Windows\System32\loaddll32.exe
      Wow64 process (32bit):true
      Commandline:loaddll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll"
      Imagebase:0x280000
      File size:126'464 bytes
      MD5 hash:51E6071F9CBA48E79F10C84515AAE618
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

      Target ID:1
      Start time:13:06:31
      Start date:27/04/2025
      Path:C:\Windows\System32\conhost.exe
      Wow64 process (32bit):false
      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Imagebase:0x7ff7e2000000
      File size:862'208 bytes
      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:2
      Start time:13:06:32
      Start date:27/04/2025
      Path:C:\Windows\SysWOW64\cmd.exe
      Wow64 process (32bit):true
      Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1
      Imagebase:0x220000
      File size:236'544 bytes
      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      Target ID:3
      Start time:13:06:32
      Start date:27/04/2025
      Path:C:\Windows\SysWOW64\rundll32.exe
      Wow64 process (32bit):true
      Commandline:rundll32.exe "C:\Users\user\Desktop\250427-ve97pavsas.bin.dll",#1
      Imagebase:0x600000
      File size:61'440 bytes
      MD5 hash:889B99C52A60DD49227C5E485A016679
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:C, C++ or other language
      Reputation:high
      Has exited:true

      No disassembly