Windows Analysis Report
file.dll

Overview

General Information

Sample name: file.dll
renamed because original name is a hash value
Original sample name: file.exe
Analysis ID: 1524403
MD5: 69d883f1a13a13d5f198b45a5df0ba97
SHA1: 940678df6cc3814046d7acac5bd0ab1b8664249d
SHA256: 5749acfc3cb027699aa197427c06334c69fb7d36add21f32105cd4033f3a191b
Tags: dllexesignedx64user-jstrosch
Infos:

Detection

Score: 9
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Source: file.dll Static PE information: certificate valid
Source: file.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\deploy\tmp\jp2ssv\obj64\jp2ssv.pdb source: rundll32.exe, 00000008.00000002.2499663761.00007FFD9DFC3000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF977C0 FindFirstFileA,FindNextFileA,FindClose, 8_2_00007FFD9DF977C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF994A8 FindFirstFileA,_local_unwind,FindNextFileA,DeleteFileA,FindClose, 8_2_00007FFD9DF994A8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB81B4 FindFirstFileExW, 8_2_00007FFD9DFB81B4
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: file.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: file.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.dll String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.dll String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: file.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.dll String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.dll String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: file.dll String found in binary or memory: http://ocsp.digicert.com0
Source: file.dll String found in binary or memory: http://ocsp.digicert.com0A
Source: file.dll String found in binary or memory: http://ocsp.digicert.com0C
Source: file.dll String found in binary or memory: http://ocsp.digicert.com0X
Source: Amcache.hve.11.dr String found in binary or memory: http://upx.sf.net
Source: file.dll String found in binary or memory: http://www.digicert.com/CPS0
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9D740 8_2_00007FFD9DF9D740
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF91F64 8_2_00007FFD9DF91F64
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF91520 8_2_00007FFD9DF91520
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB2660 8_2_00007FFD9DFB2660
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB6690 8_2_00007FFD9DFB6690
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9DE90 8_2_00007FFD9DF9DE90
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9475C 8_2_00007FFD9DF9475C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB7FA8 8_2_00007FFD9DFB7FA8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF957E0 8_2_00007FFD9DF957E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF99010 8_2_00007FFD9DF99010
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA5858 8_2_00007FFD9DFA5858
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9DCA8 8_2_00007FFD9DF9DCA8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF957E0 8_2_00007FFD9DF957E0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFBA4F4 8_2_00007FFD9DFBA4F4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB4588 8_2_00007FFD9DFB4588
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB1DC8 8_2_00007FFD9DFB1DC8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFBD5E4 8_2_00007FFD9DFBD5E4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA8E14 8_2_00007FFD9DFA8E14
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA5ADC 8_2_00007FFD9DFA5ADC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFAE2EC 8_2_00007FFD9DFAE2EC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF92BCC 8_2_00007FFD9DF92BCC
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFC0BF8 8_2_00007FFD9DFC0BF8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF953F0 8_2_00007FFD9DF953F0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFAAC50 8_2_00007FFD9DFAAC50
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFAF87C 8_2_00007FFD9DFAF87C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB6074 8_2_00007FFD9DFB6074
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB4588 8_2_00007FFD9DFB4588
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFAE8C0 8_2_00007FFD9DFAE8C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA8908 8_2_00007FFD9DFA8908
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF97988 8_2_00007FFD9DF97988
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB81B4 8_2_00007FFD9DFB81B4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFAB204 8_2_00007FFD9DFAB204
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFBCA2C 8_2_00007FFD9DFBCA2C
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 00007FFD9DF9A2D8 appears 34 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6664 -s 348
Sample file is different than original file name gathered from version info
Source: file.dll Binary or memory string: OriginalFilenamejp2ssv.dllX vs file.dll
Searches the installation path of Mozilla Firefox
Source: C:\Windows\System32\rundll32.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\118.0.1 (x64 en-US)\Main Install Directory Jump to behavior
Source: classification engine Classification label: clean9.winDLL@15/5@1/0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF937D4 CoCreateInstance, 8_2_00007FFD9DF937D4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF94418 WideCharToMultiByte,LoadLibraryExA,LoadLibraryExA,FindResourceA,LoadResource,SizeofResource,FreeLibrary, 8_2_00007FFD9DF94418
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6664
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\419624aa-c12d-47e2-aac6-301164bdc823 Jump to behavior
Source: file.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckMozJavaPlugins
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\file.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\file.dll
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckMozJavaPlugins
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllGetClassObject
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6664 -s 348
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\file.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,CheckMozJavaPlugins Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\file.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: file.dll Static PE information: certificate valid
Source: file.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.dll Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: file.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-x64-cygwin\jdk8u361\3183\build\windows-x64\deploy\tmp\jp2ssv\obj64\jp2ssv.pdb source: rundll32.exe, 00000008.00000002.2499663761.00007FFD9DFC3000.00000002.00000001.01000000.00000003.sdmp, file.dll
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF96D4C _snwprintf_s,LoadLibraryA,_snwprintf_s,LoadLibraryA,_snwprintf_s,LoadLibraryA,GetProcAddress,_Wcsftime,FreeLibrary, 8_2_00007FFD9DF96D4C
Registers a DLL
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\file.dll
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 2.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 1612 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF977C0 FindFirstFileA,FindNextFileA,FindClose, 8_2_00007FFD9DF977C0
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF994A8 FindFirstFileA,_local_unwind,FindNextFileA,DeleteFileA,FindClose, 8_2_00007FFD9DF994A8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB81B4 FindFirstFileExW, 8_2_00007FFD9DFB81B4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA42A8 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect, 8_2_00007FFD9DFA42A8
Source: C:\Windows\System32\loaddll64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.11.dr Binary or memory string: VMware
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.11.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.11.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.dr Binary or memory string: vmci.sys
Source: Amcache.hve.11.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.11.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.dr Binary or memory string: VMware20,1
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA3E7C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFD9DFA3E7C
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9F3F4 GetLastError,IsDebuggerPresent,OutputDebugStringW, 8_2_00007FFD9DF9F3F4
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF96D4C _snwprintf_s,LoadLibraryA,_snwprintf_s,LoadLibraryA,_snwprintf_s,LoadLibraryA,GetProcAddress,_Wcsftime,FreeLibrary, 8_2_00007FFD9DF96D4C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB93A4 GetProcessHeap, 8_2_00007FFD9DFB93A4
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA3E7C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFD9DFA3E7C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA0398 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00007FFD9DFA0398
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9F94C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00007FFD9DF9F94C
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\file.dll",#1 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFC0910 cpuid 8_2_00007FFD9DFC0910
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFA06A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_00007FFD9DFA06A8
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DFB627C _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 8_2_00007FFD9DFB627C
Source: C:\Windows\System32\rundll32.exe Code function: 8_2_00007FFD9DF9A744 GetVersionExA, 8_2_00007FFD9DF9A744
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524403 Sample: file.dll Startdate: 02/10/2024 Architecture: WINDOWS Score: 9 21 15.164.165.52.in-addr.arpa 2->21 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 7->9         started        11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 WerFault.exe 23 16 9->17         started        19 rundll32.exe 11->19         started       
No contacted IP infos

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown