Windows Analysis Report
QtWebKit4.dll

Overview

General Information

Sample name: QtWebKit4.dll
Analysis ID: 1542207
MD5: 9dc82a9b33a2c04dbeb671c6edf76caa
SHA1: 039db543d6f710d32b235dd9c8dc96058ce51832
SHA256: bda7fb47d02d4ab1464dd7cd18a0cf1a4c12fdc0d17182541040b113118ed725
Tags: dlluser-JAMESWT_MHT
Infos:

Detection

Score: 3
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files

Classification

Uses 32bit PE files
Source: QtWebKit4.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: QtWebKit4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: QtWebKit4.dll String found in binary or memory: http://crbug.com/12361).
Source: QtWebKit4.dll String found in binary or memory: http://groups.google.com/group/http-archive-specification/web/har-1-2-spec
Source: QtWebKit4.dll String found in binary or memory: http://webkit.org/b/16699
Source: QtWebKit4.dll String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: QtWebKit4.dll String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtdHTML-/W3C/DTD
Source: QtWebKit4.dll String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=58127
Uses 32bit PE files
Source: QtWebKit4.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: clean3.winDLL@12/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2244:120:WilError_03
Source: QtWebKit4.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0DumpRenderTreeSupportQt@@QAE@XZ
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\QtWebKit4.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QtWebKit4.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0DumpRenderTreeSupportQt@@QAE@XZ
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QtWebKit4.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0JSString@JSC@@AAE@W4VPtrStealingHackType@JSCell@1@@Z
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0JSString@JSC@@QAE@PAVExecState@1@VJSValue@1@11@Z
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\QtWebKit4.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0DumpRenderTreeSupportQt@@QAE@XZ Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0JSString@JSC@@AAE@W4VPtrStealingHackType@JSCell@1@@Z Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QtWebKit4.dll,??0JSString@JSC@@QAE@PAVExecState@1@VJSValue@1@11@Z Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QtWebKit4.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: qtgui4.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: qtnetwork4.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: qtcore4.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcp100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: QtWebKit4.dll Static PE information: More than 924 > 100 exports found
Source: QtWebKit4.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: QtWebKit4.dll Static file information: File size 13112320 > 1048576
Source: QtWebKit4.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x8a7000
Source: QtWebKit4.dll Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x2e4600
Source: QtWebKit4.dll Static PE information: More than 200 imports for QtGui4.dll
Source: QtWebKit4.dll Static PE information: More than 200 imports for QtCore4.dll
Source: QtWebKit4.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: QtWebKit4.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QtWebKit4.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QtWebKit4.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QtWebKit4.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QtWebKit4.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: QtWebKit4.dll Static PE information: section name: .unwante
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\QtWebKit4.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1542207 Sample: QtWebKit4.dll Startdate: 25/10/2024 Architecture: WINDOWS Score: 3 6 loaddll32.exe 1 2->6         started        process3 8 cmd.exe 1 6->8         started        10 conhost.exe 6->10         started        12 rundll32.exe 6->12         started        14 2 other processes 6->14 process4 16 rundll32.exe 8->16         started       
No contacted IP infos