Edit tour
Windows
Analysis Report
iisutil.dll
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Classification
- System is w10x64
- loaddll32.exe (PID: 6328 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\iis util.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6340 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 404 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\iis util.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 3872 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 6164 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 872 -s 644 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 5828 cmdline:
rundll32.e xe C:\User s\user\Des ktop\iisut il.dll,??0 ?$CDataCac he@UDATETI ME_FORMAT_ ENTRY@@@@Q AE@XZ MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 1732 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 828 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6260 cmdline:
rundll32.e xe C:\User s\user\Des ktop\iisut il.dll,??0 ?$CDataCac he@VCDateT ime@@@@QAE @XZ MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 3120 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 260 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 3608 cmdline:
rundll32.e xe C:\User s\user\Des ktop\iisut il.dll,??0 ALLOC_CACH E_HANDLER@ @QAE@PBDPB UALLOC_CAC HE_CONFIGU RATION@@H@ Z MD5: 889B99C52A60DD49227C5E485A016679) - WerFault.exe (PID: 1060 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 608 -s 636 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 6048 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",? ?0?$CDataC ache@UDATE TIME_FORMA T_ENTRY@@@ @QAE@XZ MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 1432 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",? ?0?$CDataC ache@VCDat eTime@@@@Q AE@XZ MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4476 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",? ?0ALLOC_CA CHE_HANDLE R@@QAE@PBD PBUALLOC_C ACHE_CONFI GURATION@@ H@Z MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6472 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",u uencode MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6592 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",u udecode MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 6264 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",_ IISGetCurr entTime@8 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3624 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",_ GetAllocCo unters@0 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7172 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",W riteTraceL og MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7180 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",W riteRefTra ceLogEx MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7188 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",W riteRefTra ceLog MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7196 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",T erminateLo calRequest MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7204 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",T erminateII SUtil MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7212 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S ystemTimeT oGMT MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7220 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S topIISAdmi nMonitor MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7228 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S tartIISAdm inMonitor MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7236 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S kipWhite MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7260 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S kipTo MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7280 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S etStringPa rameterVal ueInAnySer vice MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7296 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S etFlagsDeb ugPrintHR MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7376 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S etExplicit AccessSett ings MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7460 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S chedulerTe rminate MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7476 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S chedulerIn itialize MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7484 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S cheduleWor kItem MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 7500 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\iisu til.dll",S cheduleAdj ustTime MD5: 889B99C52A60DD49227C5E485A016679)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: |
Source: | Code function: | 0_2_6E68B9F0 | |
Source: | Code function: | 0_2_6E68B990 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |