Create Interactive Tour

Analysis Report

Overview

General Information

Analysis ID:387481
Infos:

Most interesting Screenshot:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Sigma detected: rundll32 run dll from internet
Creates a process in suspended mode (likely to inject code)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • cmd.exe (PID: 6464 cmdline: cmd /C 'rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: rundll32 run dll from internet
Source: Process startedAuthor: Joe Security: Data: Command: rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe, CommandLine: rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd /C 'rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6464, ProcessCommandLine: rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe, ProcessId: 6516

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: rundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233387196.000000000094A000.00000004.00000020.sdmpString found in binary or memory: http://google/Update/GoogleUpdate.exe
Source: rundll32.exe, 00000002.00000002.232927916.0000000000770000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmpString found in binary or memory: http://google/Update/GoogleUpdate.exeWinsta0
Source: rundll32.exe, 00000002.00000002.232927916.0000000000770000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmpString found in binary or memory: http://google/Update/GoogleUpdate.exerundll32.exe

System Summary:

barindex
Source: classification engineClassification label: mal48.win@4/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C 'rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe'
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exeJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exeJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321OS Credential DumpingSystem Information Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection11LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 387481 Cookbook: defaultwindowscmdlinecookbook.jbs Startdate: 15/04/2021 Architecture: WINDOWS Score: 48 12 Sigma detected: rundll32 run dll from internet 2->12 6 cmd.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started        10 rundll32.exe 6->10         started       

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://google/Update/GoogleUpdate.exe0%Avira URL Cloudsafe
http://google/Update/GoogleUpdate.exerundll32.exe0%Avira URL Cloudsafe
http://google/Update/GoogleUpdate.exeWinsta00%Avira URL Cloudsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://google/Update/GoogleUpdate.exerundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233387196.000000000094A000.00000004.00000020.sdmptrue
  • Avira URL Cloud: safe
low
http://google/Update/GoogleUpdate.exerundll32.exerundll32.exe, 00000002.00000002.232927916.0000000000770000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmpfalse
  • Avira URL Cloud: safe
low
http://google/Update/GoogleUpdate.exeWinsta0rundll32.exe, 00000002.00000002.232927916.0000000000770000.00000004.00000020.sdmp, rundll32.exe, 00000002.00000002.233368111.0000000000940000.00000004.00000020.sdmpfalse
  • Avira URL Cloud: safe
low
No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:387481
Start date:15.04.2021
Start time:10:28:35
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 7s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowscmdlinecookbook.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:27
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal48.win@4/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
  • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
No simulations
No context
No context
No context
No context
No context
No created / dropped files found

Static File Info

No static file info

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

050100s020406080100

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Start time:10:29:24
Start date:15/04/2021
Path:C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):true
Commandline:cmd /C 'rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe'
Imagebase:0x150000
File size:232960 bytes
MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:10:29:25
Start date:15/04/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Start time:10:29:25
Start date:15/04/2021
Path:C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):true
Commandline:rundll32.exe C:\Windows\system32\davclnt.dll#DavSetCookie Google http://google/Update/GoogleUpdate.exe
Imagebase:0xbc0000
File size:61952 bytes
MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Disassembly

Code Analysis