Windows Analysis Report
ResPrompt.dll.dll

Overview

General Information

Sample name:	ResPrompt.dll.dll (renamed file extension from exe to dll)
Original sample name:	ResPrompt.dll.exe
Analysis ID:	1528530
MD5:	e1bdfa7bc2ec8370102e69de1fdc2800
SHA1:	1b26bcec613ee069c0905055b40f0e858143562d
SHA256:	15c4c03c0e4345a3fcc08e55164ed5cf004d8c2c40a46d7f7db891f312226497
Tags:	exegibbooc2comremcosuser-PeterGabaldon
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Abnormal high CPU Usage

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: ResPrompt.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74 FindFirstFileExW,	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74 FindFirstFileExW,	3_2_00007FFDA34DBC74

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34A3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00007FFDA34A3830

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 154.21.14.89 22455

Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:53479 -> 154.21.14.89:22455

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

Abnormal high CPU Usage

Source: C:\Windows\System32\rundll32.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E03E8	0_2_00007FFDA34E03E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D0310	0_2_00007FFDA34D0310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CA0E0	0_2_00007FFDA34CA0E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CA840	0_2_00007FFDA34CA840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E2500	0_2_00007FFDA34E2500
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CABD8	0_2_00007FFDA34CABD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DE8F8	0_2_00007FFDA34DE8F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D4FE4	0_2_00007FFDA34D4FE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D2DD8	0_2_00007FFDA34D2DD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DACC4	0_2_00007FFDA34DACC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CB26C	0_2_00007FFDA34CB26C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CB6A4	0_2_00007FFDA34CB6A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34B16D0	0_2_00007FFDA34B16D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CF694	0_2_00007FFDA34CF694
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DD680	0_2_00007FFDA34DD680
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D5478	0_2_00007FFDA34D5478
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D5AF8	0_2_00007FFDA34D5AF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D9B1C	0_2_00007FFDA34D9B1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CFA40	0_2_00007FFDA34CFA40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D1958	0_2_00007FFDA34D1958
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9EDC	0_2_00007FFDA34C9EDC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E1E64	0_2_00007FFDA34E1E64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9CD8	0_2_00007FFDA34C9CD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E03E8	3_2_00007FFDA34E03E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D0310	3_2_00007FFDA34D0310
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CA0E0	3_2_00007FFDA34CA0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CA840	3_2_00007FFDA34CA840
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E2500	3_2_00007FFDA34E2500
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CABD8	3_2_00007FFDA34CABD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DE8F8	3_2_00007FFDA34DE8F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D4FE4	3_2_00007FFDA34D4FE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D2DD8	3_2_00007FFDA34D2DD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DACC4	3_2_00007FFDA34DACC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CB26C	3_2_00007FFDA34CB26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CB6A4	3_2_00007FFDA34CB6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34B16D0	3_2_00007FFDA34B16D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CF694	3_2_00007FFDA34CF694
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DD680	3_2_00007FFDA34DD680
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D5478	3_2_00007FFDA34D5478
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D5AF8	3_2_00007FFDA34D5AF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D9B1C	3_2_00007FFDA34D9B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CFA40	3_2_00007FFDA34CFA40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D1958	3_2_00007FFDA34D1958
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9EDC	3_2_00007FFDA34C9EDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E1E64	3_2_00007FFDA34E1E64
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9CD8	3_2_00007FFDA34C9CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74	3_2_00007FFDA34DBC74

Sample file is different than original file name gathered from version info

Source: ResPrompt.dll.dll

Binary or memory string: OriginalFilenameResourceCommander.exeD vs ResPrompt.dll.dll

Source: classification engine

Classification label: mal52.evad.winDLL@12/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}

Source: ResPrompt.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ResPrompt.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: ResPrompt.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: ResPrompt.dll.dll

Static file information: File size 32843280 > 1048576

Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ResPrompt.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ResPrompt.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34883E0 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FFDA34883E0

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe

Window / User API: foregroundWindowGot 781

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll64.exe	API coverage: 3.5 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 0.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep time: -32594s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep time: -33180s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4836	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4836	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1404	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1404	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -33162s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -39118s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -35734s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -36324s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3604	Thread sleep time: -35282s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3604	Thread sleep time: -32856s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -35818s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -33848s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -52065s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -34508s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -37452s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -36074s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -51774s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5052	Thread sleep time: -39106s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5052	Thread sleep time: -31798s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1088	Thread sleep time: -31664s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1088	Thread sleep time: -35220s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -35244s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -38360s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -34264s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4920	Thread sleep time: -37884s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4920	Thread sleep time: -30772s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 760	Thread sleep time: -36104s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 760	Thread sleep time: -36758s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6312	Thread sleep time: -39580s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2524	Thread sleep time: -30580s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5696	Thread sleep time: -36152s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5696	Thread sleep time: -33706s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -39294s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -31620s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -31066s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5176	Thread sleep time: -38800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -32866s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -32840s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -35786s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -36756s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -30440s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -33066s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636	Thread sleep time: -35226s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -31784s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -38608s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -32382s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -33722s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -37340s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6888	Thread sleep time: -30710s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1944	Thread sleep time: -38044s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1944	Thread sleep time: -39782s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4932	Thread sleep time: -30410s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4364	Thread sleep time: -39948s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4364	Thread sleep time: -38928s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -33560s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -37360s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -38778s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -38914s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5028	Thread sleep time: -34048s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5028	Thread sleep time: -34830s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3200	Thread sleep time: -35942s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4188	Thread sleep time: -30908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3916	Thread sleep time: -39524s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6720	Thread sleep time: -31624s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5768	Thread sleep time: -32692s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5044	Thread sleep time: -36956s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4952	Thread sleep time: -35140s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5040	Thread sleep time: -31034s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3504	Thread sleep time: -30466s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3924	Thread sleep time: -35694s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74 FindFirstFileExW,	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74 FindFirstFileExW,	3_2_00007FFDA34DBC74

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34A3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00007FFDA34A3830

Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FFDA34C40A0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34883E0 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FFDA34883E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34DD000 GetProcessHeap,

0_2_00007FFDA34DD000

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FFDA34C4354
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA34C40A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA34C9238
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFDA34C4354
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFDA34C40A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFDA34C9238

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 154.21.14.89 22455

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1

Jump to behavior

Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>F3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerF3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>7F3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->\|G\
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->iGO
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->: 0<-->

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34E4F90 cpuid

0_2_00007FFDA34E4F90

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34D40D8
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34D44C4
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FFDA34DEE88
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34DF2B4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFDA34DF34C
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34DF1E4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34DF79C
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FFDA34DF6EC
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34DF594
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFDA34DF8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34D40D8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34D44C4
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_00007FFDA34DEE88
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34DF2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFDA34DF34C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34DF1E4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34DF79C
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00007FFDA34DF6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34DF594
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFDA34DF8D0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34C41E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFDA34C41E8

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.21.14.89	gibbooc2.com	United States		174	COGENT-174US	true

Contacted Domains

Name	IP	Active
gibbooc2.com	154.21.14.89	true

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: ResPrompt.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74 FindFirstFileExW,	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74 FindFirstFileExW,	3_2_00007FFDA34DBC74

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34A3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00007FFDA34A3830

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 154.21.14.89 22455

Jump to behavior

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.6:53479 -> 154.21.14.89:22455

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: COGENT-174US COGENT-174US

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: gibbooc2.com

Abnormal high CPU Usage

Source: C:\Windows\System32\rundll32.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E03E8	0_2_00007FFDA34E03E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D0310	0_2_00007FFDA34D0310
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CA0E0	0_2_00007FFDA34CA0E0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CA840	0_2_00007FFDA34CA840
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E2500	0_2_00007FFDA34E2500
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CABD8	0_2_00007FFDA34CABD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DE8F8	0_2_00007FFDA34DE8F8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D4FE4	0_2_00007FFDA34D4FE4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D2DD8	0_2_00007FFDA34D2DD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DACC4	0_2_00007FFDA34DACC4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CB26C	0_2_00007FFDA34CB26C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CB6A4	0_2_00007FFDA34CB6A4
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34B16D0	0_2_00007FFDA34B16D0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CF694	0_2_00007FFDA34CF694
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DD680	0_2_00007FFDA34DD680
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D5478	0_2_00007FFDA34D5478
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D5AF8	0_2_00007FFDA34D5AF8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D9B1C	0_2_00007FFDA34D9B1C
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34CFA40	0_2_00007FFDA34CFA40
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34D1958	0_2_00007FFDA34D1958
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9EDC	0_2_00007FFDA34C9EDC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34E1E64	0_2_00007FFDA34E1E64
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9CD8	0_2_00007FFDA34C9CD8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E03E8	3_2_00007FFDA34E03E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D0310	3_2_00007FFDA34D0310
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CA0E0	3_2_00007FFDA34CA0E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CA840	3_2_00007FFDA34CA840
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E2500	3_2_00007FFDA34E2500
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CABD8	3_2_00007FFDA34CABD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DE8F8	3_2_00007FFDA34DE8F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D4FE4	3_2_00007FFDA34D4FE4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D2DD8	3_2_00007FFDA34D2DD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DACC4	3_2_00007FFDA34DACC4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CB26C	3_2_00007FFDA34CB26C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CB6A4	3_2_00007FFDA34CB6A4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34B16D0	3_2_00007FFDA34B16D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CF694	3_2_00007FFDA34CF694
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DD680	3_2_00007FFDA34DD680
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D5478	3_2_00007FFDA34D5478
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D5AF8	3_2_00007FFDA34D5AF8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D9B1C	3_2_00007FFDA34D9B1C
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34CFA40	3_2_00007FFDA34CFA40
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34D1958	3_2_00007FFDA34D1958
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9EDC	3_2_00007FFDA34C9EDC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34E1E64	3_2_00007FFDA34E1E64
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9CD8	3_2_00007FFDA34C9CD8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74	3_2_00007FFDA34DBC74

Sample file is different than original file name gathered from version info

Source: ResPrompt.dll.dll

Binary or memory string: OriginalFilenameResourceCommander.exeD vs ResPrompt.dll.dll

Source: classification engine

Classification label: mal52.evad.winDLL@12/0@1/1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3088:120:WilError_03
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{E27727EB-367C-4A9D-96C6-6520160ADF9B}

Source: ResPrompt.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\ResPrompt.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllUnregisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\ResPrompt.dll.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: ResPrompt.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: ResPrompt.dll.dll

Static file information: File size 32843280 > 1048576

Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ResPrompt.dll.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: ResPrompt.dll.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: ResPrompt.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ResPrompt.dll.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34883E0 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FFDA34883E0

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\ResPrompt.dll.dll

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\rundll32.exe

Window / User API: foregroundWindowGot 781

Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll64.exe	API coverage: 3.5 %
Source: C:\Windows\System32\regsvr32.exe	API coverage: 0.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 59 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep time: -32594s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep time: -33180s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5376	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4836	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4836	Thread sleep time: -56000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1404	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1404	Thread sleep count: 48 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -33162s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -39118s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -35734s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3792	Thread sleep time: -36324s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3604	Thread sleep time: -35282s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3604	Thread sleep time: -32856s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -35818s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -33848s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6556	Thread sleep time: -52065s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -34508s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -37452s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3172	Thread sleep time: -36074s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -51774s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5052	Thread sleep time: -39106s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5052	Thread sleep time: -31798s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1088	Thread sleep time: -31664s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1088	Thread sleep time: -35220s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -35244s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -38360s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3704	Thread sleep time: -34264s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4920	Thread sleep time: -37884s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4920	Thread sleep time: -30772s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 760	Thread sleep time: -36104s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 760	Thread sleep time: -36758s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6312	Thread sleep time: -39580s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2524	Thread sleep time: -30580s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5696	Thread sleep time: -36152s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5696	Thread sleep time: -33706s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -39294s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -31620s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3460	Thread sleep time: -31066s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5176	Thread sleep time: -38800s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -32866s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -32840s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -35786s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5984	Thread sleep time: -36756s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -30440s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 2760	Thread sleep time: -33066s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6636	Thread sleep time: -35226s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -31784s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -38608s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -32382s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -33722s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3000	Thread sleep time: -37340s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6888	Thread sleep time: -30710s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1944	Thread sleep time: -38044s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 1944	Thread sleep time: -39782s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4932	Thread sleep time: -30410s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4364	Thread sleep time: -39948s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4364	Thread sleep time: -38928s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -33560s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -37360s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -38778s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6076	Thread sleep time: -38914s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5028	Thread sleep time: -34048s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5028	Thread sleep time: -34830s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3200	Thread sleep time: -35942s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4188	Thread sleep time: -30908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3916	Thread sleep time: -39524s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 6720	Thread sleep time: -31624s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5768	Thread sleep time: -32692s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5044	Thread sleep time: -36956s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4952	Thread sleep time: -35140s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 5040	Thread sleep time: -31034s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3504	Thread sleep time: -30466s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 3924	Thread sleep time: -35694s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3250
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	0_2_00007FFDA34A3530
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34DBC74 FindFirstFileExW,	0_2_00007FFDA34DBC74
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3250 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3250
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34A3530 Concurrency::details::WorkQueue::IsStructuredEmpty,FindFirstFileW,Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock,FindNextFileW,FindClose,	3_2_00007FFDA34A3530
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34DBC74 FindFirstFileExW,	3_2_00007FFDA34DBC74

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34A3830 std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,std::_Fac_node::_Fac_node,GetLogicalDriveStringsA,GetDriveTypeA,

0_2_00007FFDA34A3830

Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FFDA34C40A0

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34883E0 LoadLibraryA,GetProcAddress,FreeLibrary,

0_2_00007FFDA34883E0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34DD000 GetProcessHeap,

0_2_00007FFDA34DD000

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FFDA34C4354
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA34C40A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FFDA34C9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FFDA34C9238
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C4354 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00007FFDA34C4354
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C40A0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFDA34C40A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00007FFDA34C9238 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00007FFDA34C9238

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 154.21.14.89 22455

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ResPrompt.dll.dll",#1

Jump to behavior

Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>F3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerF3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Ping>>//>>Program Manager>>//>>7F3723}
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->\|G\
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClientInfo>>//>>992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->iGO
Source: rundll32.exe, 00000004.00000002.4588163768.000002375B338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 992547/user<-->Windows 10 Pro=19045<-->C:\Windows\system32\rundll32.exe<-->Microsoft Defender Antivirus-<-->1709044087<-->A<-->7/9/2022 23:6 p.m.<-->Program Manager<-->: 0<-->

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34E4F90 cpuid

0_2_00007FFDA34E4F90

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34D40D8
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34D44C4
Source: C:\Windows\System32\loaddll64.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FFDA34DEE88
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34DF2B4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFDA34DF34C
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,	0_2_00007FFDA34DF1E4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34DF79C
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FFDA34DF6EC
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FFDA34DF594
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FFDA34DF8D0
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34D40D8
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34D44C4
Source: C:\Windows\System32\regsvr32.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	3_2_00007FFDA34DEE88
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34DF2B4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFDA34DF34C
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,	3_2_00007FFDA34DF1E4
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34DF79C
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00007FFDA34DF6EC
Source: C:\Windows\System32\regsvr32.exe	Code function: GetLocaleInfoW,	3_2_00007FFDA34DF594
Source: C:\Windows\System32\regsvr32.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00007FFDA34DF8D0

Source: C:\Windows\System32\loaddll64.exe

Code function: 0_2_00007FFDA34C41E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FFDA34C41E8

ID:	1528530
Product:	CloudBasic
Start time:	00:46:13
Start date:	08.10.2024
Sample:	ResPrompt.dll.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e1bdfa7bc2ec8370102e69de1fdc2800
SHA1:	1b26bcec613ee069c0905055b40f0e858143562d
SHA256:	15c4c03c0e4345a3fcc08e55164ed5cf004d8c2c40a46d7f7db891f312226497
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
ResPrompt.dll.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report ResPrompt.dll.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Windows Analysis Report
ResPrompt.dll.dll