Create Interactive Tour

Analysis Report dgiusjeja64_mediasrv.png

Overview

General Information

Sample Name:	dgiusjeja64_mediasrv.png (renamed file extension from png to dll)
Analysis ID:	370722
MD5:	c13860727871a39063e0bb58117919ba
SHA1:	4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256:	8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
Infos:
Most interesting Screenshot:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Sample file is different than original file name gathered from version info

Classification

Startup

System is w10x64

loaddll64.exe (PID: 2792 cmdline: loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll' MD5: 8E81A09C7B4484341759E793AC330CB2)

rundll32.exe (PID: 5504 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 784 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6108 cmdline: rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 5816 cmdline: C:\Windows\system32\WerFault.exe -u -p 6108 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

cmd.exe (PID: 3176 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)

rundll32.exe (PID: 5448 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1 MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 1744 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6072 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 3396 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra MD5: 73C519F050C20580F8A62C849D49215A)

WerFault.exe (PID: 4912 cmdline: C:\Windows\system32\WerFault.exe -u -p 3396 -s 316 MD5: 2AFFE478D86272288BBEF5A00BBEF6A0)

rundll32.exe (PID: 5812 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain MD5: 73C519F050C20580F8A62C849D49215A)

rundll32.exe (PID: 6076 cmdline: rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Spreading
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: dgiusjeja64_mediasrv.dll

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: dgiusjeja64_mediasrv.dll	Virustotal: Detection: 48%	Perma Link
Source: dgiusjeja64_mediasrv.dll	Metadefender: Detection: 45%	Perma Link
Source: dgiusjeja64_mediasrv.dll	ReversingLabs: Detection: 78%

Source: dgiusjeja64_mediasrv.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522D05B4 FindFirstFileExA,

1_2_00007FFB522D05B4

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522D03A8	1_2_00007FFB522D03A8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522D53F8	1_2_00007FFB522D53F8
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522C1654	1_2_00007FFB522C1654

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316

Source: dgiusjeja64_mediasrv.dll

Binary or memory string: OriginalFilenameAdobe type6 vs dgiusjeja64_mediasrv.dll

Source: classification engine

Classification label: mal56.winDLL@23/8@0/1

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522C7FD8 GetCurrentThreadId,GetCurrentProcessId,CreateToolhelp32Snapshot,Thread32First,OpenThread,ResumeThread,SuspendThread,FindCloseChangeNotification,Thread32Next,CloseHandle,

1_2_00007FFB522C7FD8

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522C5CD8 GetModuleHandleW,FindResourceW,LoadResource,

1_2_00007FFB522C5CD8

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3396
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6108

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4093.tmp

Jump to behavior

Source: dgiusjeja64_mediasrv.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain

Source: dgiusjeja64_mediasrv.dll	Virustotal: Detection: 48%
Source: dgiusjeja64_mediasrv.dll	Metadefender: Detection: 45%
Source: dgiusjeja64_mediasrv.dll	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll'
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3396 -s 316
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',ServiceMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',SvchostPushServiceGlobals	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1	Jump to behavior

Source: dgiusjeja64_mediasrv.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: dgiusjeja64_mediasrv.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: dgiusjeja64_mediasrv.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: dgiusjeja64_mediasrv.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: dgiusjeja64_mediasrv.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: dgiusjeja64_mediasrv.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: dgiusjeja64_mediasrv.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: dgiusjeja64_mediasrv.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: dgiusjeja64_mediasrv.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522C5D8C GetModuleFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,GetCurrentProcess,ReadProcessMemory,GetCurrentProcess,WriteProcessMemory,LoadLibraryW,GetProcAddress,wsprintfA,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,GetCurrentProcess,WriteProcessMemory,

1_2_00007FFB522C5D8C

Source: dgiusjeja64_mediasrv.dll

Static PE information: section name: _RDATA

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

1_2_00007FFB522C7FD8

Source: C:\Windows\System32\loaddll64.exe TID: 3112	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3112	Thread sleep time: -120000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522D05B4 FindFirstFileExA,

1_2_00007FFB522D05B4

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_00007FFB522C9810

Source: C:\Windows\System32\rundll32.exe

1_2_00007FFB522C7FD8

Source: C:\Windows\System32\rundll32.exe

1_2_00007FFB522C5D8C

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522D1624 GetProcessHeap,

1_2_00007FFB522D1624

Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522C9810 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFB522C9810
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522CE0B4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_00007FFB522CE0B4
Source: C:\Windows\System32\rundll32.exe	Code function: 1_2_00007FFB522C90E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_00007FFB522C90E4

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522D4FD0 cpuid

1_2_00007FFB522D4FD0

Source: C:\Windows\System32\rundll32.exe

Code function: 1_2_00007FFB522C93E0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00007FFB522C93E0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection11	Virtualization/Sandbox Evasion2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rundll321	LSASS Memory	Security Software Discovery4	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
dgiusjeja64_mediasrv.dll	49%	Virustotal		Browse
dgiusjeja64_mediasrv.dll	46%	Metadefender		Browse
dgiusjeja64_mediasrv.dll	79%	ReversingLabs	Win64.Trojan.Phonzy
dgiusjeja64_mediasrv.dll	100%	Avira	HEUR/AGEN.1137903

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
1.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
12.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
11.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
17.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
14.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
6.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
13.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File
15.2.rundll32.exe.7ffb522c0000.1.unpack	100%	Avira	HEUR/AGEN.1137903	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	370722
Start date:	18.03.2021
Start time:	03:27:25
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	dgiusjeja64_mediasrv.png (renamed file extension from png to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.winDLL@23/8@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 88.2%) Quality average: 66.7% Quality standard deviation: 34.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 10 Number of non-executed functions: 25
Cookbook Comments:	Adjust boot time Enable AMSI Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 92.122.145.220, 104.43.193.48, 40.88.32.150, 13.88.21.125 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, skypedataprdcoleus15.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, watson.telemetry.microsoft.com, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolcus15.cloudapp.net

Simulations

Behavior and APIs

Time	Type	Description
03:28:23	API Interceptor	2x Sleep call for process: WerFault.exe modified
03:28:23	API Interceptor	2x Sleep call for process: loaddll64.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dgi_17f6294235e29bf0f70dfe4296ff405bc6b1d1_92a90526_136c5a94\Report.wer Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9708
Entropy (8bit):	3.7668416012088124
Encrypted:	false
SSDEEP:	96:VO+avizJPnyff54ju55NbhfNpXIQcQvc6zcE5cw39XaXz+HbHgSQgJPb7IDV9wOm:VxiizJKff5JHB3Txjmt/u7sVS274lth/
MD5:	BEA5176645F9A3E9372F4913A120B8C0
SHA1:	50C2215277C7EEB95D146CB1EA56B583A5026F9A
SHA-256:	D240E9B6804CAC625884F089A4E4C30A209A86B6B0EA505BA35BB4F056923D97
SHA-512:	13020B4F916636C3972484298AD8A4F961328FC7A18234C513155497FAA621415340001DF806D53196C3729F0D5807CA763A992780721B271D9A5F2406AF5CDA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.5.7.9.8.2.9.8.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.6.3.6.0.7.9.8.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.a.a.6.2.b.a.b.-.f.9.8.8.-.4.f.9.2.-.b.0.f.8.-.5.5.4.a.1.a.0.d.f.2.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.d.7.c.1.9.4.-.a.c.4.0.-.4.7.3.6.-.b.f.9.f.-.1.b.3.7.c.a.9.a.3.e.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.g.i.u.s.j.e.j.a.6.4._.m.e.d.i.a.s.r.v...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.4.4.-.0.0.0.1.-.0.0.1.7.-.9.3.8.6.-.0.4.6.d.e.1.1.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.

C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_dgi_17f6294235e29bf0f70dfe4296ff405bc6b1d1_92a90526_16e4498c\Report.wer Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	9710
Entropy (8bit):	3.7652159520242368
Encrypted:	false
SSDEEP:	96:KasAvieJPnyVf54ju55NbhfNpXIQcQvc6zcE5cw39XaXz+HbHgSQgJPb7IDV9wOM:BRieJKVf5JHB3Txjmt/u7sVS274lthx
MD5:	46F7CA54E15B408DFCF128CC72754BF7
SHA1:	35EF54139ADA05B7005C9EB5101DDED05AF6F46C
SHA-256:	12F47BD95167A0F3F30EFF6D715CFE575459AC083E5FEB85D886E21633298C0F
SHA-512:	42BD9B057642EBE44845C927BD810B65A8BECB06FEEEDA5C53F5282026B5EB91756135153D4AAE410B7E7CAF3164254C9E03D4329800E60EFCB5DC612E0CFC31
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.1.4.0.7.6.8.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.6.0.5.3.6.9.0.2.0.4.8.3.0.8.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.5.3.d.0.5.8.-.4.0.6.6.-.4.9.c.6.-.9.7.c.e.-.2.e.e.1.b.8.5.5.2.6.9.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.8.0.c.e.6.a.d.-.0.3.2.d.-.4.2.f.f.-.8.0.f.b.-.5.d.6.e.4.8.6.1.a.a.8.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e._.d.g.i.u.s.j.e.j.a.6.4._.m.e.d.i.a.s.r.v...d.l.l.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.d.c.-.0.0.0.1.-.0.0.1.7.-.a.e.b.e.-.7.1.6.a.e.1.1.b.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.f.3.4.c.c.f.d.d.8.1.4.1.a.e.e.e.2.e.8.9.f.f.b.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4093.tmp.dmp Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 18 10:28:21 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	56106
Entropy (8bit):	1.6961583181587625
Encrypted:	false
SSDEEP:	192:6C9hjUiM0ezPjNVHIp23Vtyr893twv4t3kpDu:j9hrYNw23ar88At3eu
MD5:	BC7B008F91118403B076CD53AA707992
SHA1:	EC64A642D1FF9BE50738F632EEB8B8ECEE6B022C
SHA-256:	0FC01A9ED8EEF850A80C74881EEA01D2798DAEC5F2D45F2C1F97C31BEB3CB73D
SHA-512:	8DC0685F41CD7D97DC13B9F730CAD60302A4B886AE8E83375B8F24E30B12048A468A0B369B4E240BC8CAFD47A42D3233E0CFE0F9978CDFE5C72903D3552D3AE4
Malicious:	false
Preview:	MDMP....... .......E+S`...................U...........B..............Lw................Z*....T...........C+S`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1.......................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER41EC.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8542
Entropy (8bit):	3.696626753721187
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi6vi1JtJ6Y394Qgmf2xSxQCprRN89bZlwTfrTm:RrlsNiKi1l6Ytvgmf2xSfqZlkfO
MD5:	34A9E1504F78B5F53B043468AC0AB815
SHA1:	CE841A8D9235A334812FCC7A0FA46C4BF06CC78B
SHA-256:	87414FE6999C3EB42AFCFE6763B582A064BFB4E112AC65784C95443A8A10C121
SHA-512:	A0C1B3FCB10206BBB98A16008109CA92990BFD9575E0CB370EBECBB3957CC921A7A5C1877D2D84DCB2AD1A30D953E3FF1A694E8D58417968C9656355E1FC24F4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER42B8.tmp.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4782
Entropy (8bit):	4.486597621503638
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSpJgtBI9ZtWSC8Bj8fm8M4JChC4WFjPyq85mgPZESC5SCd:uITfsrcSN2J1kVvCd
MD5:	4F7D926A017D7C6FF0BA2E74D839538D
SHA1:	7A362315E6F040ED8776A0C2EFFE552D9465A082
SHA-256:	63CA678BDB859DCB9EECAED5991A8BE2A04FDCA1E3A9B4420909F9DA50E2CDD0
SHA-512:	4BBBE8E889BA0AE5DF5228378D22A78342E1DAAC602739D5BF6ECBA478B517B9B8695FD72C440AAE2BEF034A7568F510BBA749BE9687B750DF2C913A00B67F6B
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="906939" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER51BA.tmp.dmp Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Thu Mar 18 10:28:26 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	55938
Entropy (8bit):	1.701841087642868
Encrypted:	false
SSDEEP:	192:+5of8BxNiTMkrCuCI2GBeYXXkaNno82jn03ehtyr893twn+ImeYeM6:wxQTZmGBTNAWr88nXmeYK
MD5:	F64ABAB4E69199CAA44A64CFE1335021
SHA1:	DBE373A0FC67868CE7B86582477D421DA07852C1
SHA-256:	661E2EDD0BA2493257D1E57538EFF30D9627E03414E8A5CDBF07D2C2C86548FD
SHA-512:	BE8483CA5B6A5857DCBA7EB6FB01B17C5CB30A84B1879E4E7CB0C8D35E95EEAA53C6F8605D387E924B9C0A41BFC645158D2668231A5AE250B10E3BCACEF59772
Malicious:	false
Preview:	MDMP....... .......J+S`...................U...........B..............Lw......................T.......D...H+S`.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...a.m.d.6.4.,.1.0...0...1.7.1.3.4...1.......................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER52F3.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8724
Entropy (8bit):	3.7016813000049003
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiald1C6Ysg7gmf2xSxQCprRb89bmAfUf3Cm:RrlsNigd1C6Yr7gmf2xSfcmA8fj
MD5:	83D3DF7EFDFA47C630F554E314EA144D
SHA1:	FF40BD1FBB7EBE9E9EE365FEB6A989AB8D8FBF56
SHA-256:	D1D5217AA21CA039DBD3AB32D1EE292E961A3AE7242D214C860D56C8FDD98B15
SHA-512:	4FD0F7C6793AA779EFBF2FD58886A140B4A28C31E8472E5D34740F62367BC74BBDF8966ECDBFB46539B638FC902FA50ABD2FDEE082B98D197AA306C3831D8809
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.3.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5381.tmp.xml Download File
Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4782
Entropy (8bit):	4.488227637363814
Encrypted:	false
SSDEEP:	48:cvIwSD8zsSpJgtBI9ZtWSC8Bbla8fm8M4JChC4WFd0xyq85mgeZESC5S+d:uITfsrcSNrvJjmBVv+d
MD5:	2477F4048BA56DD2AD65297DA475FCB4
SHA1:	5F488E06BF427FCEDB27DA556CC4FCBA14A3EB5B
SHA-256:	B9D60CA5DA69A7C6E414A744746A6132F3C419F243806A00E227721D0B7A64C4
SHA-512:	3EC60CC0602157DBD879E08F56FC32C9433FF11D3EB6AF32754E135D59D84496B3A4C33BD2B607AEBB712EEC861C225C45BE004E93AF2D4DE46E6625D4C7592C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="906939" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General
File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	5.964984823050676
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	dgiusjeja64_mediasrv.dll
File size:	140288
MD5:	c13860727871a39063e0bb58117919ba
SHA1:	4f91c6240d459858b7723e843d2ed37e1e9d152b
SHA256:	8fa363bec94402d57a8c1acb288e9d9ca0a28eee18d300359e83252c60e01719
SHA512:	348c5ecd6f06a114c11b100a95b89687a3064afe1fd5c3874772938a463c29d23938a1bca967734c19fd06bcf97f5d75c78431305912e06f1d73ceb83db48ec6
SSDEEP:	3072:Zyne4kjMlBYj6lLeD9LuLQKwj4UQbcb8cRm2:ZylXfYjeSxLu4R
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................^a......^a......^a..............................7.%.............].......].......].........y.....].......Rich...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x18000909c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x60097C8C [Thu Jan 21 13:07:24 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d2e26c895718ba9e7941296173fe17d4

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FB0C4B5A807h
call 00007FB0C4B5AB28h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FB0C4B5A694h
int3
int3
int3
jmp 00007FB0C4B5FC24h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
dec eax
mov ebx, ecx
xor ecx, ecx
call dword ptr [0000D003h]
dec eax
mov ecx, ebx
call dword ptr [0000CFF2h]
call dword ptr [0000CF24h]
dec eax
mov ecx, eax
mov edx, C0000409h
dec eax
add esp, 20h
pop ebx
dec eax
jmp dword ptr [0000CFE8h]
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 38h
mov ecx, 00000017h
call 00007FB0C4B66ED7h
test eax, eax
je 00007FB0C4B5A809h
mov ecx, 00000002h
int 29h
dec eax
lea ecx, dword ptr [000179D3h]
call 00007FB0C4B5A9CFh
dec eax
mov eax, dword ptr [esp+38h]
dec eax
mov dword ptr [00017ABAh], eax
dec eax
lea eax, dword ptr [esp+38h]
dec eax
add eax, 08h
dec eax
mov dword ptr [00017A4Ah], eax
dec eax
mov eax, dword ptr [00017AA3h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1f310	0x7c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1f38c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x4e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x22000	0x1698	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x668	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1d900	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1d940	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14f80	0x15000	False	0.496082124256	data	6.23821166824	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x9c9a	0x9e00	False	0.417128164557	data	4.69449342541	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x20000	0x1be8	0xa00	False	0.17578125	data	2.43767822647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.pdata	0x22000	0x1698	0x1800	False	0.440104166667	data	4.7780949803	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x24000	0x94	0x200	False	0.203125	data	1.11945956359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x4e0	0x600	False	0.37890625	data	3.64413638585	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x668	0x800	False	0.50341796875	data	4.92296393674	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x250a0	0x2c0	data	English	United States
RT_MANIFEST	0x25360	0x17d	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

CreateFileW, GetFileSize, ReadFile, SetLastError, CloseHandle, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, OpenThread, SuspendThread, ResumeThread, ReadProcessMemory, WriteProcessMemory, GetModuleFileNameW, GetModuleHandleW, GetModuleHandleExW, GetProcAddress, LoadLibraryExW, LoadResource, LoadLibraryA, LoadLibraryW, FindResourceW, MultiByteToWideChar, CreateToolhelp32Snapshot, Thread32First, Thread32Next, WriteConsoleW, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlPcToFileHeader, RaiseException, RtlUnwindEx, InterlockedFlushSList, GetLastError, EncodePointer, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, WideCharToMultiByte, ExitProcess, GetModuleFileNameA, GetStringTypeW, GetACP, HeapAlloc, HeapFree, LCMapStringW, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetStdHandle, GetFileType, HeapSize, HeapReAlloc, SetStdHandle, WriteFile, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx

USER32.dll

wsprintfA

Exports

Name	Ordinal	Address
ServiceMain	1	0x180007e00
SvchostPushServiceGlobals	2	0x1800080c8
decra	3	0x180008828

Version Infos

Description	Data
LegalCopyright	Copyright (C) Adobe 2020
InternalName	Adobe type
FileVersion	2.3.6.7
CompanyName	Adobe type
ProductName	Adobe type
ProductVersion	2.3.6.7
FileDescription	Adobe type
OriginalFilename	Adobe type
Translation	0x0809 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 18, 2021 03:28:06.743639946 CET	49199	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:06.792882919 CET	53	49199	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:07.858115911 CET	50620	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:07.907428980 CET	53	50620	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:08.198206902 CET	64938	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:08.260333061 CET	53	64938	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:09.008719921 CET	60152	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:09.070564032 CET	53	60152	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:10.029464006 CET	57544	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:10.081621885 CET	53	57544	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:11.711374044 CET	55984	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:11.761574984 CET	53	55984	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:12.671669960 CET	64185	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:12.720829010 CET	53	64185	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:13.601628065 CET	65110	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:13.650913954 CET	53	65110	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:14.552200079 CET	58361	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:14.612628937 CET	53	58361	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:15.439805984 CET	63492	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:15.488965988 CET	53	63492	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:16.674350023 CET	60831	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:16.733551979 CET	53	60831	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:17.465131998 CET	60100	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:17.514431000 CET	53	60100	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:18.638439894 CET	53195	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:18.688126087 CET	53	53195	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:19.762321949 CET	50141	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:19.814367056 CET	53	50141	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:20.900608063 CET	53023	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:20.961081982 CET	53	53023	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:22.073633909 CET	49563	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:22.131145000 CET	53	49563	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:23.350117922 CET	51352	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:23.412517071 CET	53	51352	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:27.705600977 CET	59349	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:27.757694960 CET	53	59349	8.8.8.8	192.168.2.3
Mar 18, 2021 03:28:35.908370018 CET	57084	53	192.168.2.3	8.8.8.8
Mar 18, 2021 03:28:35.959269047 CET	53	57084	8.8.8.8	192.168.2.3

Code Manipulations

Statistics

CPU Usage

• loaddll64.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe

Click to jump to process

Memory Usage

• loaddll64.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• loaddll64.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe
• cmd.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• WerFault.exe

Click to jump to process

System Behavior

Analysis Process: loaddll64.exe PID: 2792 Parent PID: 5684

Function Logs

General

Start time:	03:28:12
Start date:	18/03/2021
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll'
Imagebase:	0x7ff7c3830000
File size:	147456 bytes
MD5 hash:	8E81A09C7B4484341759E793AC330CB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Start time:	03:28:13
Start date:	18/03/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,ServiceMain
Imagebase:	0x7ff782fd0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	03:28:16
Start date:	18/03/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,SvchostPushServiceGlobals
Imagebase:	0x7ff782fd0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	03:28:19
Start date:	18/03/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll,decra
Imagebase:	0x7ff782fd0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	03:28:20
Start date:	18/03/2021
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6108 -s 316
Imagebase:	0x7ff69c760000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Start time:	03:28:24
Start date:	18/03/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe 'C:\Users\user\Desktop\dgiusjeja64_mediasrv.dll',decra
Imagebase:	0x7ff782fd0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	03:28:25
Start date:	18/03/2021
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3396 -s 316
Imagebase:	0x7ff69c760000
File size:	494488 bytes
MD5 hash:	2AFFE478D86272288BBEF5A00BBEF6A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report dgiusjeja64_mediasrv.png

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

UDP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exe PID: 2792 Parent PID: 5684

General

File Activities

File Opened