Edit tour

Windows Analysis Report
DK3LmU4Xkl.dll

Overview

General Information

Sample name:	DK3LmU4Xkl.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	990bc4b90a3d10f2ae085497a216e4f4.dll.exe
Analysis ID:	1561758
MD5:	990bc4b90a3d10f2ae085497a216e4f4
SHA1:	1202567c49e3a8c05dca5c0ce82dc6659e425f95
SHA256:	48b51a6bedbda86249a1188c36a007f1ff8fdb3355a75b68eac7aa89ea5ad77a
Tags:	dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file does not import any functions

Program does not show much activity (idle)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 7312 cmdline: loaddll64.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7364 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 7388 cmdline: rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 7372 cmdline: regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 7396 cmdline: rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: loaddll64.exe PID: 7312	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 7372	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7388	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 7396	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.regsvr32.exe.7ff8b8f77404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ff8b8f77404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ff8b8f77404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ff8b8f77404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ff8b8f77404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ff8b8f77404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ff8b8f70000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ff8b8f77404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ff8b8f70000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ff8b8f77404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
3.2.regsvr32.exe.7ff8b8f70000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.rundll32.exe.7ff8b8f70000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DK3LmU4Xkl.dll

ReversingLabs: Detection: 39%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 91.3% probability

Machine Learning detection for sample

Source: DK3LmU4Xkl.dll

Joe Sandbox ML: detected

Source: DK3LmU4Xkl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF8B8F710A0	0_2_00007FF8B8F710A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFC72BC	0_2_000001D30FFC72BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFC1A90	0_2_000001D30FFC1A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFC15A0	0_2_000001D30FFC15A0
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCF4E8	0_2_000001D30FFCF4E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFC1090	0_2_000001D30FFC1090
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_023172BC	3_2_023172BC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02311A90	3_2_02311A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_02311090	3_2_02311090
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231F4E8	3_2_0231F4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_023115A0	3_2_023115A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AE15A0	4_2_0000020810AE15A0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AE72BC	4_2_0000020810AE72BC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AE1A90	4_2_0000020810AE1A90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AE1090	4_2_0000020810AE1090
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AEF4E8	4_2_0000020810AEF4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45F4E8	5_2_0000017D3F45F4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F4515A0	5_2_0000017D3F4515A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F451090	5_2_0000017D3F451090
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F4572BC	5_2_0000017D3F4572BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F451A90	5_2_0000017D3F451A90

Source: DK3LmU4Xkl.dll

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal64.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7320:120:WilError_03

Source: DK3LmU4Xkl.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1

Source: DK3LmU4Xkl.dll

ReversingLabs: Detection: 39%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: DK3LmU4Xkl.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: DK3LmU4Xkl.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFD75DE push ecx; retf 003Fh	0_2_000001D30FFD763E
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCCCA8 push 6F0000CBh; retf	0_2_000001D30FFCCCAD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCCC9C push ebx; retf	0_2_000001D30FFCCC9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCCC6C push esi; retf 0000h	0_2_000001D30FFCCC6D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCCC35 push cs; retf 0000h	0_2_000001D30FFCCC59
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000001D30FFCBBA2 push esp; ret	0_2_000001D30FFCBBA5
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231BBA2 push esp; ret	3_2_0231BBA5
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231CC35 push cs; retf 0000h	3_2_0231CC59
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231CC6C push esi; retf 0000h	3_2_0231CC6D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231CCA8 push 6F0000CBh; retf	3_2_0231CCAD
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0231CC9C push ebx; retf	3_2_0231CC9D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AEBBA2 push esp; ret	4_2_0000020810AEBBA5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AECCA8 push 6F0000CBh; retf	4_2_0000020810AECCAD
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AECC9C push ebx; retf	4_2_0000020810AECC9D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AECC35 push cs; retf 0000h	4_2_0000020810AECC59
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000020810AECC6C push esi; retf 0000h	4_2_0000020810AECC6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45CC35 push cs; retf 0000h	5_2_0000017D3F45CC59
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45CCA8 push 6F0000CBh; retf	5_2_0000017D3F45CCAD
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45CC6C push esi; retf 0000h	5_2_0000017D3F45CC6D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45CC9C push ebx; retf	5_2_0000017D3F45CC9D
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000017D3F45BBA2 push esp; ret	5_2_0000017D3F45BBA5

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA,	0_2_000001D30FFC20E0
Source: C:\Windows\System32\regsvr32.exe	Code function: CreateThread,GetLocaleInfoA,	3_2_023120E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	4_2_0000020810AE20E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	5_2_0000017D3F4520E0

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f77404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ff8b8f77404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.7ff8b8f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 7312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7396, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	11 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DK3LmU4Xkl.dll	39%	ReversingLabs	Win64.Trojan.Generic
DK3LmU4Xkl.dll	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561758
Start date and time:	2024-11-24 08:39:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DK3LmU4Xkl.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	990bc4b90a3d10f2ae085497a216e4f4.dll.exe
Detection:	MAL
Classification:	mal64.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 19 Number of non-executed functions: 21
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: DK3LmU4Xkl.dll

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.729890158124373
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	DK3LmU4Xkl.dll
File size:	141'824 bytes
MD5:	990bc4b90a3d10f2ae085497a216e4f4
SHA1:	1202567c49e3a8c05dca5c0ce82dc6659e425f95
SHA256:	48b51a6bedbda86249a1188c36a007f1ff8fdb3355a75b68eac7aa89ea5ad77a
SHA512:	edbcd7a25d42c828abf247a72b7dec03d208c5d9d2f7d18d1eeac1711444587bfcc79aec89301e3b41c14a61f37e78c92180c269722337ade3a588536d3a1140
SSDEEP:	3072:jnJR01T5K/tVwrwnF28z5Qnfo9db/Vq1LAZmonIbTxaZeaL0Q:1R0/K/tVHhQfojbtqSdSTxaZJ
TLSH:	5AD3F1FB2214858FFB6231FD07DEA895B0A160DAD20DF12780ED89B2887D56C455EE3D
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....1g.........." .....H...................................................p............`........................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180001090
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x67311609 [Sun Nov 10 20:22:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
mov eax, 00000001h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
inc ecx
push edi
inc ecx
push esi
inc ecx
push ebp
inc ecx
push esp
push esi
push edi
push ebx
dec eax
sub esp, 00000128h
dec eax
lea ebp, dword ptr [esp+00000080h]
inc sp
movq qword ptr [ebp+00000090h], mm7
inc sp
movq qword ptr [ebp+00000080h], mm6
inc sp
movq qword ptr [ebp+70h], mm5
inc sp
movq qword ptr [ebp+60h], mm4
inc sp
movq qword ptr [ebp+50h], mm3
inc sp
movq qword ptr [ebp+40h], mm2
inc sp
movq qword ptr [ebp+30h], mm1
inc sp
movq qword ptr [ebp+20h], mm0
movdqa dqword ptr [ebp+10h], xmm7
movdqa dqword ptr [ebp+00h], xmm6
mov eax, dword ptr [0002334Fh]
mov edx, dword ptr [0002334Dh]
lea ecx, dword ptr [eax-01h]
imul ecx, eax
mov eax, ecx
not eax
mov ebx, eax
and ebx, FFFFFFFEh
and ecx, 01h
or ecx, ebx
xor eax, ecx
test eax, ecx
inc ecx
sete al
setne bl
cmp edx, 0Ah
setl cl
cmp edx, 09h
setnle al
or al, bl
mov edx, eax
xor dl, 00000001h
inc esp
xor cl, al
inc esp
mov esi, dword ptr [00023315h]
inc esp
mov ebx, dword ptr [00023312h]
cmp dl, cl
jne 00007F38E8B100AFh
xor cl, 00000001h
or al, cl
xor al, 01h
je 00007F38E8B1019Eh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x6220	0x52	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x25000	0x18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x47f7	0x4800	c00c0f87260d6cd79c776f80f04984b3	False	0.6581488715277778	data	6.794170519589856	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x6000	0x2c0	0x400	ad8b4deb0ec58a1f52f1020d1be7b956	False	0.23046875	data	4.564140817949314	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x7000	0x1d498	0x1d600	1977d27562db72bb41b8692f3a2e4e7c	False	0.8679271941489362	data	7.729282536350062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x25000	0x18	0x200	eb351d287e0ffa16b2b47c1f62fa457b	False	0.0625	data	0.2311581448570176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x1a8	0x200	082774175c3ed4a63cb8411ddc72bd3d	False	0.482421875	data	4.182807530451981	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x26060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180001080

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll"
Imagebase:	0x7ff6039b0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Imagebase:	0x7ff60b4e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\DK3LmU4Xkl.dll
Imagebase:	0x7ff788290000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.2100895730.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\DK3LmU4Xkl.dll",#1
Imagebase:	0x7ff606c20000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.2095917697.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:39:56
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\DK3LmU4Xkl.dll,DllRegisterServer
Imagebase:	0x7ff606c20000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.2101067512.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.8%
Dynamic/Decrypted Code Coverage:	78.9%
Signature Coverage:	31.6%
Total number of Nodes:	38
Total number of Limit Nodes:	6

Executed Functions

Function 00007FF8B8F710A0 Relevance: 12.0, APIs: 2, Strings: 2, Instructions: 4965COMMON

Download Yara Rule

Strings

ZdDEUTcrHqDaPoRCMCtQfMCpqcRDvvbZViBijbEBYfpRoUhSnDipskGhWQzQcOkdDSGoSRTLOCEgdrRwxeRZjeiIziggdZmjJXYRXrmaZdyUfQYDbHXJHLfdhSaqOniYXgFGDmoEVQyhcCwqDcGnzikjsaUEFUkQTulYCOWZlrJSiUUSCaAVesAGBeGhiMTmtfUdqmQtdyHUQmkFVXLrUXohZpeFJpYdRtofwFRgTvZgfeClrOvmDGCMsQbdaBBmumBm, xrefs: 00007FF8B8F7290E
j, xrefs: 00007FF8B8F717C9

Memory Dump Source

Source File: 00000000.00000002.2129607497.00007FF8B8F71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF8B8F70000, based on PE: true

Associated: 00000000.00000002.2129580928.00007FF8B8F70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129628860.00007FF8B8F76000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129643214.00007FF8B8F77000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2129663686.00007FF8B8F96000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff8b8f70000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID: j$ZdDEUTcrHqDaPoRCMCtQfMCpqcRDvvbZViBijbEBYfpRoUhSnDipskGhWQzQcOkdDSGoSRTLOCEgdrRwxeRZjeiIziggdZmjJXYRXrmaZdyUfQYDbHXJHLfdhSaqOniYXgFGDmoEVQyhcCwqDcGnzikjsaUEFUkQTulYCOWZlrJSiUUSCaAVesAGBeGhiMTmtfUdqmQtdyHUQmkFVXLrUXohZpeFJpYdRtofwFRgTvZgfeClrOvmDGCMsQbdaBBmumBm
API String ID: 0-96800106
Opcode ID: e9e195c3c8b014f90d5bc867ed007e9f1c31cd3fcc6ed35325a23fc04341cc7b
Instruction ID: dea8b69de9c8b306f6b14b240fca2d4da0f4e24b18f384220675ea036cb4911e
Opcode Fuzzy Hash: e9e195c3c8b014f90d5bc867ed007e9f1c31cd3fcc6ed35325a23fc04341cc7b
Instruction Fuzzy Hash: 1D739F7BF24A1107FB04CB3998523FA2B92ABA63E4F15A335DE29537D5DB3DD4068204

Function 000001D30FFC20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 000001D30FFC20ED
CreateThread.KERNELBASE ref: 000001D30FFC211D
GetLocaleInfoA.KERNELBASE ref: 000001D30FFC21E5

Strings

5, xrefs: 000001D30FFC225D

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleCreateInfoLocaleThreadWindow
String ID: 5
API String ID: 1307802651-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: a1e1ae5dd12567615bc6d155de5d8ec489bc8e6e57118b0a4cfec84389909cd4
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: D241B332214A448BF719EF24D9997EB77E1FBD8305F40862EF157C21E6DE388505CA82

Function 000001D30FFCA87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000001D30FFCA90B

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 15f7f069d7b40a60e09343b63c2caad344c2fb121b42510ff38be4d31b15e963
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 9031B032508E2E9FE7A5DF2C85956A0B7D0F70D360F65074AE46AC71E4C638E9A183C6

Function 000001D30FFC1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000001D30FFC104B

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 2a5b170d885a90da96480aba9e3a52478ef9beaf5a64253f88d2b4326b5c7de7
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 0F01673150C5448FFB06EB28D8987D677E1F76D305F008569E0CAC72A6DE7C8658C751

Function 000001D30FFC6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000001D30FFC6F64), ref: 000001D30FFC6F93

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: ee7f9604fab5c7fb0c86feca9dedc58bb051d001dddf0d0ccc3a55d76a232782
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 90D017323043081BEA287BB85A982AD27618B49305F0018397916CA6A7DD3A8849C783

Function 000001D30FFC20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000001D30FFC20CA

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000001D30FFCF4E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000001D30FFCF737

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction ID: 9726a687ec78a057faedc703007b8b070d4ab02721044576b80c29aa7a1fe98f
Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction Fuzzy Hash: F6C1A032510B5D8FEB98CF1CC98AB9677E1FF49304F15858AE8A9CB2A1C335D852CB51

Function 000001D30FFC15A0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction ID: 421a42bec5f36546fd46ce67b1cf592c2e040ce028fb7ce105a8fb7204119fc2
Opcode Fuzzy Hash: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction Fuzzy Hash: 2EE14072518B488FEB65EF18D8897EA77E1FB98305F00462EA49AC3161DF349645CBC3

Function 000001D30FFC1A90 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction ID: 00b88b217588cb4a0c40158d47b1e8a422d3a54d724fdc8389663161bb308d57
Opcode Fuzzy Hash: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction Fuzzy Hash: 01B15532218A594FEB69EF28DC557FA73E1FB98311F00462AE45BC3191DF349A05CB82

Function 000001D30FFC1090 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction ID: 47c30349fa7e3cedaf3dafd0c097aff6c6dd6002b919222c0ee723f298744498
Opcode Fuzzy Hash: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction Fuzzy Hash: C171D43261CB584FE758DF1898493BA77D1FB89711F00826EE88BC3252EF34995187C2

Function 000001D30FFC72BC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction ID: fc3a0ae1fb0aaefbd81f8284c4b56370335e7f07b244e9203b2a0e09e236f81f
Opcode Fuzzy Hash: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction Fuzzy Hash: E851F033318E188FDB4CEE6CD4996A573D2E7AC311B15822FF40AD72A5DA70D9468BC1

Function 000001D30FFC40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000001D30FFC410C

Part of subcall function 000001D30FFC5054: __GetUnwindTryBlock.LIBCMT ref: 000001D30FFC5097
Part of subcall function 000001D30FFC5054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000001D30FFC50BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000001D30FFC41E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000001D30FFC4433
std::bad_alloc::bad_alloc.LIBCMT ref: 000001D30FFC453F

Strings

csm, xrefs: 000001D30FFC4207
csm, xrefs: 000001D30FFC4126
csm, xrefs: 000001D30FFC418D

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: da248045f46985bceaba394a2791b33140d52f959df08c5157554afa7291bb75
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 07F1AF32918B188FEB54EF6885957E977E0FB98310F50061EE499C3296DB30DA81CBC2

Function 000001D30FFC4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D30FFC4958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000001D30FFC4A40

Strings

csm, xrefs: 000001D30FFC4A92
csm, xrefs: 000001D30FFC497A

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 9656f00a71c2d32be37a3d22d00e3e43fe1fa3db1e54b1034bbf47333756e3c0
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 8B718233514A298FEBA8DF1881993A4B3D1FB5C311F64555BA4A9C76A2CB30DA80C7C7

Function 000001D30FFC4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000001D30FFC462B

Strings

MOC, xrefs: 000001D30FFC45F3
RCC, xrefs: 000001D30FFC45FB

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: f5eacc3f1284c3e502a5136a25ec4e4bfd2cd9fc782f07c7b5d7495420b05228
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 32718F32518B588FE764EF18C546BEAB7E0FB9D300F044A5EE499C3252D774A681CB83

Function 000001D30FFC2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000001D30FFC2D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000001D30FFC2DB2

Strings

csm, xrefs: 000001D30FFC2D99

Memory Dump Source

Source File: 00000000.00000002.2129338789.000001D30FFC1000.00000040.00001000.00020000.00000000.sdmp, Offset: 000001D30FFC1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1d30ffc1000_loaddll64.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 122fcbd7fe2b08559be5953b17a7a182b03b311a78cfb8ec463fab7099d454bf
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 4F71D333208A288BEF28EE1CD5857B473D1FB58350F10456FF896D3296EB20ED5186C2

Analysis Process: regsvr32.exePID: 7372, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 023120E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0231211D
GetLocaleInfoA.KERNELBASE ref: 023121E5

Strings

5, xrefs: 0231225D

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: af2d445ac42481d8b8a9f94f258ccec68b0c7a7079aa1119e42e7954a7a9010f
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 8041A331214A488BE72DEF64DC986EB77E2FBD4305F44853DE58BC21A4DF38944ACA42

Function 02311000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0231104B

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 53e67f46a25f38678dd13078ab743a336a9114571b0b271dccea06c76fa86a6c
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 79018B3050C6448FFB06EB68DC987D677E1F769305F008569E0CAC72A5DEBC8558CB41

Function 02316F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,02316F64), ref: 02316F93

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: b1719d9553d5769ff6e0b6c6e61de1b7683eea0a1bd72ad8b2822ea64b5e05bd
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: E8D0C7343007095FEB2C7BF9599D23D266ADB45205F001C3C6903CB6A6CE3AD849CF42

Function 023120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 023120CA

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 023140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0231410C

Part of subcall function 02315054: __GetUnwindTryBlock.LIBCMT ref: 02315097
Part of subcall function 02315054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 023150BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 023141E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 02314433
std::bad_alloc::bad_alloc.LIBCMT ref: 0231453F

Strings

csm, xrefs: 02314126
csm, xrefs: 0231418D
csm, xrefs: 02314207

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: fc1e2fac293b437012a88f9be95e7777787d9a91408c93b44c9087ca6826ff01
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 7EE1B230918B488FDB28EF68C485BADB7E1FF99314F54465ED589D7215DB30E882CB82

Function 02314930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02314958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 02314A40

Strings

csm, xrefs: 02314A92
csm, xrefs: 0231497A

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 0f50a0ea9d4764e6ba7d9e8f5a6d44cc31025871e675cc69778591431e434408
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 88619034618B098FCB7CDF288089725B7E1FB98315F58865ED68DC7695DB34D880CB86

Function 02312CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 02312D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 02312DB2

Strings

csm, xrefs: 02312D99

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 117826fcb26647dfeea8f29c328cea7a353034c430f3ff44008cf20aadbf68d4
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: DE61D330218A288BCF2CEE5CD885A7673D1FB54754F10456EEC8AC3256EB34E8A1CB95

Function 02314580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0231462B

Strings

RCC, xrefs: 023145FB
MOC, xrefs: 023145F3

Memory Dump Source

Source File: 00000003.00000002.2100662782.0000000002311000.00000040.00001000.00020000.00000000.sdmp, Offset: 02311000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_2311000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: e2d01bd4d96cf7b9004a95ed86fa05f366d38714f627031f736a4038092c2466
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 8A717F30518B488FDB68EF18D446BAAB7E0FF99314F144A5EE59DC3211DB74E581CB82

Analysis Process: rundll32.exePID: 7388, Parent PID: 7364COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 0000020810AE20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0000020810AE211D
GetLocaleInfoA.KERNELBASE ref: 0000020810AE21E5

Strings

5, xrefs: 0000020810AE225D

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 8765e32b16ae20e14d1cf3ff18980e24a348931e4f8cd85969abc26e471a89d7
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: D94190302147548BE719EB24DC9DBEFB7E2FFD4305F40852DE18BD21A6DE7894068A42

Function 0000020810AEA87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 0000020810AEA90B

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 4aa94aef12c0360b6ba08e4b24f386081ec3e7d57a42e01f9cbf1b6ce574add7
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: B631E930408F2A4FD7A5DF2C8898B65B6D0FF19360F650749E49ED71E2CA70E892C781

Function 0000020810AE1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0000020810AE104B

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 5e9163ab15e82a6a243047bee7b1ce78a367e5f697938d6056eb15e8c2b8846f
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 760167305086448FFB06EB28DC98BD677E1FB69305F008569E0CAD72A6DEBC8558C741

Function 0000020810AE6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000020810AE6F64), ref: 0000020810AE6F93

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 45132b564f13ad167317d745661d317d0e3778bc97bbc6f88880d379b130cb5f
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: C7D017303003080BEA187BB86D8C62E36618F49345F001C38A947DA6A7CD7A884A8B02

Function 0000020810AE20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 0000020810AE20CA

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 0000020810AE40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000020810AE410C

Part of subcall function 0000020810AE5054: __GetUnwindTryBlock.LIBCMT ref: 0000020810AE5097
Part of subcall function 0000020810AE5054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000020810AE50BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000020810AE41E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000020810AE4433
std::bad_alloc::bad_alloc.LIBCMT ref: 0000020810AE453F

Strings

csm, xrefs: 0000020810AE4126
csm, xrefs: 0000020810AE418D
csm, xrefs: 0000020810AE4207

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 3d94d6f339ab5c8742bd8fc3c4449d0b86f79c4f5422af6e510c4ab6d3ee2796
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: ADF15130514B588BEB54EF688849BAEB7E4FF59310F50465DE48DD7293DF70D8828B81

Function 0000020810AE4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000020810AE4958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000020810AE4A40

Strings

csm, xrefs: 0000020810AE497A
csm, xrefs: 0000020810AE4A92

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 279b0b55276671392a805de4b673a2e3ccccd4b1e63d7511be05656615ea83d8
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: AB719E30504B188BEBA89B18888DB6AF7D5FF54311F14465AD4CDE7693DFB0D882CB46

Function 0000020810AE4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000020810AE462B

Strings

RCC, xrefs: 0000020810AE45FB
MOC, xrefs: 0000020810AE45F3

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 91d59bc741bd356b400070e7124c9d42315d77d00372012196a127bb61c1f9ef
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 6A715030518B588FE7649F18D84ABAAB7E0FF99310F144A5DE4CDD3152DFB4A582CB82

Function 0000020810AE2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000020810AE2D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000020810AE2DB2

Strings

csm, xrefs: 0000020810AE2D99

Memory Dump Source

Source File: 00000004.00000002.2095665695.0000020810AE1000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000020810AE1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20810ae1000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 4208958e53f50c021fd15f676ecb6e1309bbf337e9ff6318336b369619333881
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: A2717530208B248FDB68EA5CD889B79B7D1FF54350F10456DE8CAD3197EE64EC528B85

Analysis Process: rundll32.exePID: 7396, Parent PID: 7312COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 0000017D3F4520E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0000017D3F45211D
GetLocaleInfoA.KERNELBASE ref: 0000017D3F4521E5

Strings

5, xrefs: 0000017D3F45225D

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: bcedf49f890a55f0a2095a3cb6c3e1e233db69733736b8a30f814cfc657b5441
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 8741BE70218A4C8BF719EB64E899BEB73F1FFD4301F40856EE18FC21A5DE3885058A42

Function 0000017D3F451000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0000017D3F45104B

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 306fa01e9baca4ba0b9f8b0b0794b0ef2070f4fc14b2d06344422e382155951c
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 2101677150C6488FFB06EB28D898BD677E1F769305F008569E0CEC72A6DE7C8558C742

Function 0000017D3F456F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,0000017D3F456F64), ref: 0000017D3F456F93

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 78ce1100051a88c121c258f3543223483f4063ff90a4c9b8080b3e6eb188052f
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: C2D0177170420C0BFA187BB869886AD2671AB45309F001878694ACA6A7DD3AC8498703

Function 0000017D3F4520B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 0000017D3F4520CA

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 0000017D3F4540B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0000017D3F45410C

Part of subcall function 0000017D3F455054: __GetUnwindTryBlock.LIBCMT ref: 0000017D3F455097
Part of subcall function 0000017D3F455054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 0000017D3F4550BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 0000017D3F4541E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 0000017D3F454433
std::bad_alloc::bad_alloc.LIBCMT ref: 0000017D3F45453F

Strings

csm, xrefs: 0000017D3F454126
csm, xrefs: 0000017D3F45418D
csm, xrefs: 0000017D3F454207

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 794a11f58709d19b83ab01fe70d67c521e0e9858243fca70c0e9c68caaccfee7
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: BCF16D70918A0C8BFB54EF68A455FE977F1FF59310F540699E48DC72A6DB309881CB82

Function 0000017D3F454930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D3F454958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 0000017D3F454A40

Strings

csm, xrefs: 0000017D3F454A92
csm, xrefs: 0000017D3F45497A

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: bfee1e0c357266b4df400d37554b709b0225e42bc4e5e28a49c587f18eb79656
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: EF717270518A0D8BFBA8EB19A099FA4B7F1FF54311F64459A94CDCB6A2DB309880C743

Function 0000017D3F452CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 0000017D3F452D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 0000017D3F452DB2

Strings

csm, xrefs: 0000017D3F452D99

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: ab8927715c533033a10fe4e630bef94d1bb099d5af6361df72e3613abd8df605
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 0371627020CA1C8BEF68FA5CE485BB473F1FF54350F1045AEE8CEC7296E624E9518696

Function 0000017D3F454580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0000017D3F45462B

Strings

MOC, xrefs: 0000017D3F4545F3
RCC, xrefs: 0000017D3F4545FB

Memory Dump Source

Source File: 00000005.00000002.2100844159.0000017D3F451000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000017D3F451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_17d3f451000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: a936ed45a4b5b513d26039aaae831e27e29e762b958f558b0076241f1e4e4013
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: F1715C7051CB4C8BE764AB19A446FEAB7F0FF99300F044A9EA4CDC7252D774A5818B83

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DK3LmU4Xkl.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 7312, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 7320, Parent PID: 7312

General

Windows Analysis Report
DK3LmU4Xkl.dll

Function 000001D30FFC20E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Function 000001D30FFCA87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 000001D30FFC1000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 000001D30FFC6F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 000001D30FFC20B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 000001D30FFC40B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 000001D30FFC4930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 000001D30FFC4580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 000001D30FFC2CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 023120E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Function 02311000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 02316F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 023120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 023140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 02314930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 02312CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 02314580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 0000020810AE20E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON