Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
weird.dll

Overview

General Information

Sample name:weird.dll
(renamed file extension from none to dll)
Original sample name:weird
Analysis ID:1540387
MD5:34a7856b9671389544a4a9c37a037250
SHA1:a6a04e0372c58624758fda199c3f1e8180048422
SHA256:e36a6367c6b8b7fa9f2f5b059c5df919d9ec2106e6ae5e8177bc2203e8553ef8
Infos:

Detection

Score:23
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

AI detected suspicious sample
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

  • System is w10x64
  • loaddll64.exe (PID: 6944 cmdline: loaddll64.exe "C:\Users\user\Desktop\weird.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)
    • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7084 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\weird.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • rundll32.exe (PID: 7140 cmdline: rundll32.exe "C:\Users\user\Desktop\weird.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.1% probability
Source: weird.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: Microsoft.VisualStudio.TeamFoundation.InitializationPackage.ni.pdbRSDS source: weird.dll
Source: Binary string: Microsoft.VisualStudio.TeamFoundation.InitializationPackage.ni.pdb source: weird.dll
Source: Binary string: D:\a\_work\1\obj\Release.AnyCPU\VSIntegration.Client\MS.VS.TeamFoundation.InitializationPackage\net472\Microsoft.VisualStudio.TeamFoundation.InitializationPackage.pdb source: weird.dll
Source: weird.dllStatic PE information: No import functions for PE file found
Source: weird.dllBinary or memory string: OriginalFilenameMicrosoft.VisualStudio.TeamFoundation.InitializationPackageT vs weird.dll
Source: classification engineClassification label: sus23.winDLL@6/0@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: weird.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\weird.dll",#1
Source: unknownProcess created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\weird.dll"
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\weird.dll",#1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\weird.dll",#1
Source: C:\Windows\System32\loaddll64.exeProcess created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\weird.dll",#1Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\weird.dll",#1Jump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\loaddll64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: weird.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: weird.dllStatic PE information: Image base 0x644a0000000 > 0x60000000
Source: weird.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: weird.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Microsoft.VisualStudio.TeamFoundation.InitializationPackage.ni.pdbRSDS source: weird.dll
Source: Binary string: Microsoft.VisualStudio.TeamFoundation.InitializationPackage.ni.pdb source: weird.dll
Source: Binary string: D:\a\_work\1\obj\Release.AnyCPU\VSIntegration.Client\MS.VS.TeamFoundation.InitializationPackage\net472\Microsoft.VisualStudio.TeamFoundation.InitializationPackage.pdb source: weird.dll
Source: weird.dllStatic PE information: 0x9AD6A36B [Fri Apr 26 15:23:23 2052 UTC]
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 6940Thread sleep time: -120000s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\loaddll64.exeThread delayed: delay time: 120000Jump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\weird.dll",#1Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
11
Process Injection
1
Rundll32
OS Credential Dumping11
Virtualization/Sandbox Evasion
Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
11
Virtualization/Sandbox Evasion
LSASS Memory1
System Information Discovery
Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
Process Injection
Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1540387 Sample: weird Startdate: 23/10/2024 Architecture: WINDOWS Score: 23 15 AI detected suspicious sample 2->15 7 loaddll64.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 conhost.exe 7->11         started        process5 13 rundll32.exe 9->13         started       

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
weird.dll0%ReversingLabs
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No contacted domains info
No contacted IP infos
Joe Sandbox version:41.0.0 Charoite
Analysis ID:1540387
Start date and time:2024-10-23 17:58:18 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 1m 54s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:4
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:weird.dll
(renamed file extension from none to dll)
Original Sample Name:weird
Detection:SUS
Classification:sus23.winDLL@6/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Stop behavior analysis, all processes terminated
  • Not all processes where analyzed, report is missing behavior information
  • VT rate limit hit for: weird.dll
TimeTypeDescription
11:59:17API Interceptor1x Sleep call for process: loaddll64.exe modified
No context
No context
No context
No context
No context
No created / dropped files found
File type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):5.09498958727029
TrID:
  • Win64 Dynamic Link Library (generic) (102004/3) 84.96%
  • Win64 Executable (generic) (12005/4) 10.00%
  • DOS Executable Borland Pascal 7.0x (2037/25) 1.70%
  • Generic Win/DOS Executable (2004/3) 1.67%
  • DOS Executable Generic (2002/1) 1.67%
File name:weird.dll
File size:24'064 bytes
MD5:34a7856b9671389544a4a9c37a037250
SHA1:a6a04e0372c58624758fda199c3f1e8180048422
SHA256:e36a6367c6b8b7fa9f2f5b059c5df919d9ec2106e6ae5e8177bc2203e8553ef8
SHA512:559f7896e82b811a039a63a379da8f02a5fe03e409af2ad52a5635fadcec6a396bda08924fd35967be40188722baf667aa29663f50f92864a4fdbbc30780b43c
SSDEEP:384:MTZHuW4xt1EBWYNwWNZ9lrJrPZRwDJX33nLN4+Q6PNaHnu8:M1Hkt1EvNwAvJLrgNXLNa
TLSH:73B2D510D7D98A36D86B86351CA35A00993BFDD6FA30ABDF1441A31F5C623D09AB2B71
File Content Preview:MZ......................@.......................................................................................................PE..d...k............." ............................D.........................................`................................
Icon Hash:7ae282899bbab082
Entrypoint:0x644a0000000
Entrypoint Section:
Digitally signed:false
Imagebase:0x644a0000000
Subsystem:windows cui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x9AD6A36B [Fri Apr 26 15:23:23 2052 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:2
File Version Major:5
File Version Minor:2
Subsystem Version Major:5
Subsystem Version Minor:2
Import Hash:
Instruction
dec ebp
pop edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+45h], dl
add byte ptr [eax], al
xchg byte ptr fs:[ebx], al
add byte ptr [ebx-5Dh], ch
salc
call far 0000h : 00000000h
add byte ptr [eax], al
lock add byte ptr [edx], ah
and byte ptr [ebx], cl
add cl, byte ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, byte ptr [00000644h]
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [edx], al
add byte ptr [eax], al
add eax, 00000200h
add byte ptr [eax], al
NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_RESOURCE0x30000x57c.text
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x3e1c0x6c.text
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000x1b0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x70600x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x35800x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.data0x10000x15800x1600256866013fbfa471814f579466446cc4False0.19176136363636365data2.1533367024494297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text0x30000x428f0x44007db6b7201674b4a993763a4c4a500a93False0.5068359375data5.780313058378867IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0x80000x1b00x20000f9ac86fd9ddadb2971baf4b7a54e15False0.638671875data4.6077544975514835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
NameRVASizeTypeLanguageCountryZLIB Complexity
RT_VERSION0x30580x524data0.3882978723404255
No network behavior found

Click to jump to process

Click to jump to process

Click to jump to process

Target ID:0
Start time:11:59:16
Start date:23/10/2024
Path:C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):false
Commandline:loaddll64.exe "C:\Users\user\Desktop\weird.dll"
Imagebase:0x7ff727250000
File size:165'888 bytes
MD5 hash:763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:1
Start time:11:59:16
Start date:23/10/2024
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7699e0000
File size:862'208 bytes
MD5 hash:0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:2
Start time:11:59:17
Start date:23/10/2024
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\weird.dll",#1
Imagebase:0x7ff7f2050000
File size:289'792 bytes
MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

Target ID:3
Start time:11:59:17
Start date:23/10/2024
Path:C:\Windows\System32\rundll32.exe
Wow64 process (32bit):false
Commandline:rundll32.exe "C:\Users\user\Desktop\weird.dll",#1
Imagebase:0x7ff78b230000
File size:71'680 bytes
MD5 hash:EF3179D498793BF4234F708D3BE28633
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:true

No disassembly