Edit tour

Windows Analysis Report
RtJvzroKSq.dll

Overview

General Information

Sample name:	RtJvzroKSq.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original sample name:	b9876905ef39a784dd9ab1e41288bd98.dll.exe
Analysis ID:	1561759
MD5:	b9876905ef39a784dd9ab1e41288bd98
SHA1:	6897879ed1b961aad24cd37903d900492d279f6b
SHA256:	6ae95415ed900953fcf4618b9896ed8ea93c60e1b1f5e587b356ea2b24e2acf6
Tags:	dllexeStrelaStealeruser-abuse_ch
Infos:

Detection

Strela Stealer

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Strela Stealer

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file does not import any functions

Program does not show much activity (idle)

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 2944 cmdline: loaddll64.exe "C:\Users\user\Desktop\RtJvzroKSq.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3116 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 3284 cmdline: rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

regsvr32.exe (PID: 2332 cmdline: regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

rundll32.exe (PID: 2216 cmdline: rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: loaddll64.exe PID: 2944	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: regsvr32.exe PID: 2332	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 3284	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Process Memory Space: rundll32.exe PID: 2216	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author
4.2.regsvr32.exe.7ffbbca00000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbbca00000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbbca06404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ffbbca06404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbbca00000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
5.2.rundll32.exe.7ffbbca06404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbbca06404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ffbbca06404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.regsvr32.exe.7ffbbca06404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
0.2.loaddll64.exe.7ffbbca06404.1.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
6.2.rundll32.exe.7ffbbca00000.0.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
4.2.regsvr32.exe.7ffbbca06404.1.raw.unpack	JoeSecurity_StrelaStealer	Yara detected Strela Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: RtJvzroKSq.dll	Virustotal: Detection: 41%			Perma Link
Source: RtJvzroKSq.dll	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Machine Learning detection for sample

Source: RtJvzroKSq.dll

Joe Sandbox ML: detected

Source: RtJvzroKSq.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1F4E8	0_2_000002093FD1F4E8
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD11090	0_2_000002093FD11090
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD172BC	0_2_000002093FD172BC
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD11A90	0_2_000002093FD11A90
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD115A0	0_2_000002093FD115A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_0059F4E8	4_2_0059F4E8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_00591090	4_2_00591090
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_005915A0	4_2_005915A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_00591A90	4_2_00591A90
Source: C:\Windows\System32\regsvr32.exe	Code function: 4_2_005972BC	4_2_005972BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002B6D14515A0	5_2_000002B6D14515A0
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002B6D145F4E8	5_2_000002B6D145F4E8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002B6D1451090	5_2_000002B6D1451090
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002B6D14572BC	5_2_000002B6D14572BC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_000002B6D1451A90	5_2_000002B6D1451A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000260C5271A90	6_2_00000260C5271A90
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000260C52772BC	6_2_00000260C52772BC
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000260C52715A0	6_2_00000260C52715A0
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000260C5271090	6_2_00000260C5271090
Source: C:\Windows\System32\rundll32.exe	Code function: 6_2_00000260C527F4E8	6_2_00000260C527F4E8

Source: RtJvzroKSq.dll

Static PE information: No import functions for PE file found

Source: classification engine

Classification label: mal64.troj.winDLL@10/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03

Source: RtJvzroKSq.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1

Source: RtJvzroKSq.dll	Virustotal: Detection: 41%
Source: RtJvzroKSq.dll	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\RtJvzroKSq.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: RtJvzroKSq.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: RtJvzroKSq.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210BC push esi; retf	0_2_000002093FD210C3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210C4 push esi; retf	0_2_000002093FD210CB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210AC push esi; retf	0_2_000002093FD210B3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210DC push esi; retf	0_2_000002093FD210E3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210E4 push esi; retf	0_2_000002093FD210EB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD210CC push esi; retf	0_2_000002093FD210DB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21084 push esi; retf	0_2_000002093FD2108B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1CC6C push esi; retf 0000h	0_2_000002093FD1CC6D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD2106C push esi; retf	0_2_000002093FD210DB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1CC9C push ebx; retf	0_2_000002093FD1CC9D
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD2109C push ebp; retf	0_2_000002093FD210AB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1CCA8 push 6F0000CBh; retf	0_2_000002093FD1CCAD
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD2108C push ebp; retf	0_2_000002093FD2109B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1CC35 push cs; retf 0000h	0_2_000002093FD1CC59
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21064 push esi; retf	0_2_000002093FD2106B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21003 push esi; retf	0_2_000002093FD21063
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD1BBA2 push esp; ret	0_2_000002093FD1BBA5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212FA push ebp; retf	0_2_000002093FD212FB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21300 push ebp; retf	0_2_000002093FD21303
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212EC push ebp; retf	0_2_000002093FD212F3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD2130A push esi; retf	0_2_000002093FD2130B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21310 push esi; retf	0_2_000002093FD21313
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD21318 push ebp; retf	0_2_000002093FD2131B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212C4 push ebp; retf	0_2_000002093FD212CB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212B4 push ebp; retf	0_2_000002093FD212C3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212DC push ebp; retf	0_2_000002093FD212E3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212DA push ebp; retf	0_2_000002093FD212DB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212E4 push ebp; retf	0_2_000002093FD212EB
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212D2 push esi; retf	0_2_000002093FD212D3
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD2126C push esi; retf	0_2_000002093FD2128B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000002093FD212A4 push esi; retf	0_2_000002093FD212B3

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Code function: GetConsoleWindow,CreateThread,GetLocaleInfoA,	0_2_000002093FD120E0
Source: C:\Windows\System32\regsvr32.exe	Code function: CreateThread,GetLocaleInfoA,	4_2_005920E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	5_2_000002B6D14520E0
Source: C:\Windows\System32\rundll32.exe	Code function: CreateThread,GetLocaleInfoA,	6_2_00000260C52720E0

Stealing of Sensitive Information

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2216, type: MEMORYSTR

Remote Access Functionality

Yara detected Strela Stealer

Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.7ffbbca06404.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.7ffbbca00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.regsvr32.exe.7ffbbca06404.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll64.exe PID: 2944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 2332, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3284, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2216, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Regsvr32	OS Credential Dumping	11 System Information Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RtJvzroKSq.dll	42%	Virustotal		Browse
RtJvzroKSq.dll	42%	ReversingLabs	Win64.Trojan.Generic
RtJvzroKSq.dll	100%	Joe Sandbox ML

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561759
Start date and time:	2024-11-24 08:39:30 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RtJvzroKSq.dll (renamed file extension from exe to dll, renamed because original name is a hash value)
Original Sample Name:	b9876905ef39a784dd9ab1e41288bd98.dll.exe
Detection:	MAL
Classification:	mal64.troj.winDLL@10/0@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 18 Number of non-executed functions: 21
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.734800381103567
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	RtJvzroKSq.dll
File size:	139'776 bytes
MD5:	b9876905ef39a784dd9ab1e41288bd98
SHA1:	6897879ed1b961aad24cd37903d900492d279f6b
SHA256:	6ae95415ed900953fcf4618b9896ed8ea93c60e1b1f5e587b356ea2b24e2acf6
SHA512:	fac53ea7e508a0868362b9682d12e5bb49db016f7f862390d196ddd32237058314e76716ee0a3388c0ac19be016ecaa35cb67d7d86f7e9c453ab1666d6abeb8b
SSDEEP:	3072:fGAFnquXnBjSa00i+OcCt8Eu0D1iian9ZNGMrR6vCBV/x/zoVFAmbL5N8f4dJJYO:+y/f098Eu0DEiqZNj4afJsrb
TLSH:	6BD3F15BE0992034EE4A2EB7F4BA6218D093718DE79D14DB0CC49D123A1B2CB6DF7E01
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.....1g.........." .....@.......... N.......................................`............`........................................

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x180004e20
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6731A603 [Mon Nov 11 06:36:51 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
mov eax, dword ptr [0001E662h]
lea ecx, dword ptr [eax-01h]
imul ecx, eax
mov eax, ecx
not eax
and eax, EADA5B58h
and ecx, 1525A4A7h
or ecx, eax
mov eax, ecx
xor eax, 1525A4A7h
xor ecx, E2104348h
and ecx, F334C74Ch
mov edx, eax
and edx, 0CCB38B3h
or edx, ecx
xor edx, 0CCB38B2h
and eax, FFFFFFFEh
or eax, edx
mov ecx, eax
not ecx
and ecx, F9607F86h
and eax, 069F8079h
or eax, ecx
xor eax, 069F8079h
sete dl
cmp dword ptr [0001E607h], 0Ah
setl al
xor dl, al
mov ecx, edx
xor cl, 00000001h
and al, cl
cmp al, dl
jne 00007FAEB8BAD4DFh
xor al, 01h
or al, cl
xor al, 01h
jne 00007FAEB8BAD4D7h
nop dword ptr [eax]
jmp 00007FAEB8BAD4D0h
mov eax, 00000001h
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x51f0	0x56	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x25000	0x1a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x24000	0xc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ea8	0x4000	260759e5b2e324f50ba7708522306d89	False	0.68011474609375	data	6.785578285605347	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5000	0x288	0x400	2822e945288180223c0fef299cceb1d5	False	0.2177734375	data	4.2868783837407936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6000	0x1d498	0x1d600	2e80b7e300f7d384eb56671c221b1fa3	False	0.8682263962765957	data	7.7361582892642105	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x24000	0xc	0x200	68fbf3f0bb0267cdefae78106467b1e9	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x25000	0x1a8	0x200	dc8a7a3ba49348b04c8bceefe511f730	False	0.482421875	data	4.1813331407993175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x25060	0x143	XML 1.0 document, ASCII text	English	United States	0.628482972136223

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x180001000

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	02:40:26
Start date:	24/11/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\RtJvzroKSq.dll"
Imagebase:	0x7ff644830000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000000.00000002.1502684092.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	02:40:26
Start date:	24/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:40:27
Start date:	24/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Imagebase:	0x7ff7fcf50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:40:27
Start date:	24/11/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\RtJvzroKSq.dll
Imagebase:	0x7ff7f7780000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000004.00000002.1465493426.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:40:27
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\RtJvzroKSq.dll",#1
Imagebase:	0x7ff7723c0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1472723820.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:40:27
Start date:	24/11/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\RtJvzroKSq.dll,DllRegisterServer
Imagebase:	0x7ff7723c0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_StrelaStealer, Description: Yara detected Strela Stealer, Source: 00000006.00000002.1472951159.00007FFBBCA06000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 000002093FD120E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 000002093FD120ED
CreateThread.KERNELBASE ref: 000002093FD1211D
GetLocaleInfoA.KERNELBASE ref: 000002093FD121E5

Strings

5, xrefs: 000002093FD1225D

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: ConsoleCreateInfoLocaleThreadWindow
String ID: 5
API String ID: 1307802651-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 361c458238b7fb0778250e4a85390c784af35b0e329b653f4de1ea45fd20588d
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 6F41C0302187488BF799EB64D8AD7AB77E1FB84301F40856DE15BC21E7DF3884898A42

Function 000002093FD1A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000002093FD1A90B

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 83c3fa1a2d19f693101528afa7d9c37890f6f15b7b6eaed06353547eb20650c5
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 3D319E30508F1A9EE7A59B2C849C76476D0FB19360F65078AE46FC72E6C734D8E19B81

Function 000002093FD11000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000002093FD1104B

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: 716fa669bfa09ad99638e2ae584c24aaa0ac7f4328992002bc08efdc2535d4af
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 660144305086448FFB46AB68D89C7D677A1F769305F008569E0CAC72A6DEBC8558C741

Function 000002093FD16F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000002093FD16F64), ref: 000002093FD16F93

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: c7a0534730a2836d92422b28d2fedf3eb318b516faa7c6335e0e9aa9e5b45b79
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 49D05E2030030C0FFB987BB859AC32D2665CB45205F0019787917CB6E7CE3A8889CB02

Function 000002093FD120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000002093FD120CA

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000002093FD1F4E8 Relevance: 1.8, APIs: 1, Instructions: 321COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 000002093FD1F737

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction ID: c8e06144f212c59d8f64b992d04cd5b68f9916c14f637cd276e913e9e1bbfb3a
Opcode Fuzzy Hash: 2045596ada029767b90017b957664b0b71c7a256b325aa916a96e60a40104743
Instruction Fuzzy Hash: 86C12535510B4D8FEB99CF18C89AB5677E0FB49304F198599E86ACB2A3C335D896CF01

Function 000002093FD115A0 Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction ID: f52ac1b53e26dbefe75b358d58230f59fde939b028b5040e9482411e24ecd0e8
Opcode Fuzzy Hash: e4f9392618ee0be8b2838eee92702fec4626de7f7bd0dc604c65336cad8c2563
Instruction Fuzzy Hash: E7E16F70518B488FEB65EF18D8997EA77E1FB94304F00466EA45EC31A2DB349685CF82

Function 000002093FD11A90 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction ID: d8eecd8fb75c8ee8178e9c2a55609a64f59cee26ff48713dd57dd76e19420c38
Opcode Fuzzy Hash: f301177accb7d0ce1b8505d76f0598128b48e2f6fca66abbe616489d302d7cc2
Instruction Fuzzy Hash: C7B16E31218A494FEB69EF28DC6D7EA73E5FB94301F00426AE45BC3192DF3499458B81

Function 000002093FD11090 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction ID: 59602749460ef3c94d3635fc6fb1f5e62cd1b45fb192eddc84a5d2f552efc78b
Opcode Fuzzy Hash: 004e5bc4f416d9accfca0753fc8d67adee0aa063ac23580ea370914e8b763bcf
Instruction Fuzzy Hash: 5071C53161CB484BE798DF18985D3BA77D5FB89710F00856ED89FC3292EF3499468B81

Function 000002093FD172BC Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction ID: dcbcc7984ac636795c894b6f84dd0971fdac925b5cb38597f84c9a7c6010b679
Opcode Fuzzy Hash: 30f0a361053a8720fb197dd7f2de9fba19a6b2a280636273193b063dd5433016
Instruction Fuzzy Hash: AF51E232318E084FDB5CDF6CD49D66573D2E7A8311B15826EE41EC72A6DE70D8868B81

Function 000002093FD140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002093FD1410C

Part of subcall function 000002093FD15054: __GetUnwindTryBlock.LIBCMT ref: 000002093FD15097
Part of subcall function 000002093FD15054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002093FD150BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002093FD141E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002093FD14433
std::bad_alloc::bad_alloc.LIBCMT ref: 000002093FD1453F

Strings

csm, xrefs: 000002093FD14207
csm, xrefs: 000002093FD14126
csm, xrefs: 000002093FD1418D

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 52ffea7d0426a6814de3ac8ddc8cdf2f4e5e649ee487054adcf6a9b16efd5889
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: D0F14F30518B488BEB94EF68C45DBA977E0FB5A310F540699E49EC7697DB30D8C1CB82

Function 000002093FD14930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002093FD14958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002093FD14A40

Strings

csm, xrefs: 000002093FD1497A
csm, xrefs: 000002093FD14A92

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: d00292e8024ab205ad62f6f7b9f3c89947de25fb33d730c0a9aa264fe346851b
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 24717030614B098FEBF89B1880ADB64B7D1FB56315F64469E94AEC76D3DB3498C0CB42

Function 000002093FD14580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002093FD1462B

Strings

MOC, xrefs: 000002093FD145F3
RCC, xrefs: 000002093FD145FB

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: a6878c0db5355d398c847c64d71e9fd003581916fe5e49ea40bcdd9c8e3f62ce
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 8C71B430518B488FE7A4DF18D45ABA6B7E0FB9A300F144A9DE49EC3193D774A5C5CB82

Function 000002093FD12CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002093FD12D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000002093FD12DB2

Strings

csm, xrefs: 000002093FD12D99

Memory Dump Source

Source File: 00000000.00000002.1502079368.000002093FD11000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002093FD11000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2093fd11000_loaddll64.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 3c9fdb6ec12610c37cda48658e2a8e69410227d93b7328ca260de33c214280fd
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: CE718330208B088BEFA8EB5CD49D77573D1FB54351F1045AEE89BC32D7E726E8918A85

Analysis Process: regsvr32.exePID: 2332, Parent PID: 2944COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 005920E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 0059211D
GetLocaleInfoA.KERNELBASE ref: 005921E5

Strings

5, xrefs: 0059225D

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 9721db175efa67875ddb6b30f789c9a53d69c5806d33fc40acf3a9bb07e37715
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: AB41D231218A498BEB19EF64DC9D6AB7BE2FBD4305F44853DE14BC21A5DF388409CB42

Function 00591000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 0059104B

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: ddf6aacccebe4ed9efc81433800ce547fd3d13422ddf14a00dc7f08318c3e136
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 0B0162315086448FFB06EB68D898BE67BE1F7A9305F008569E0CAC72A5DEBC8658C741

Function 00596F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,00596F64), ref: 00596F93

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 0b36997fe355e6148ab02715c5b6c1697857a787db14dee0e8b1a45f8b485bd9
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: ADD09E243007095FEF187BB9699D22D2A65EB85305F0018386903CB6AADD3E988D8742

Function 005920B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 005920CA

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 005940B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 0059410C

Part of subcall function 00595054: __GetUnwindTryBlock.LIBCMT ref: 00595097
Part of subcall function 00595054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 005950BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 005941E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00594433
std::bad_alloc::bad_alloc.LIBCMT ref: 0059453F

Strings

csm, xrefs: 0059418D
csm, xrefs: 00594126
csm, xrefs: 00594207

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 77befe1d7a8d703069340b015b260182a997433a2d1eaf3e561aec41f3956d10
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 43E18530918B498FDF14EF68D489AAD7BE0FB99310F54465EE489C7216DB34DD82CB82

Function 00594930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00594958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00594A40

Strings

csm, xrefs: 00594A92
csm, xrefs: 0059497A

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: f3fadcfaee44d54314763bb35996d12e6a2d32cfc54d2282a89c9c98b20f5c19
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: 12619430618B098FCF68DF188089B69BBD2FB98311F64565ED48DC7656DB34DC82CB86

Function 00592CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00592D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 00592DB2

Strings

csm, xrefs: 00592D99

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 5923a622efaf80b4c857579090b00637594fd56a7ff8ccfc1b2d06ce775e04e9
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 8D61A230618A099BCF28EF5CD8C5A787BD5FB54350F10456EE88AC7256EB34EC92CB85

Function 00594580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 0059462B

Strings

MOC, xrefs: 005945F3
RCC, xrefs: 005945FB

Memory Dump Source

Source File: 00000004.00000002.1465002789.0000000000591000.00000040.00001000.00020000.00000000.sdmp, Offset: 00591000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_591000_regsvr32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: c2692070e20a13b005f11cca4c4cd306cd4c7cb1dd78ea77883950278e2a60b8
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 29718530518B4D8FDB64DF58D446BAABBE0FB99314F144A5EE489C3211DB74E982CB83

Analysis Process: rundll32.exePID: 3284, Parent PID: 3116COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	30
Total number of Limit Nodes:	4

Executed Functions

Function 000002B6D14520E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 000002B6D145211D
GetLocaleInfoA.KERNELBASE ref: 000002B6D14521E5

Strings

5, xrefs: 000002B6D145225D

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: af2dc38bc4c12fdb1efd4ec975a83f0752d80d9d42b9b5a7f684277b130a580f
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: C441DF32314A498BF719EF64D89D7BB77E2FBC8305F44852EE147C21A6DF7884858A42

Function 000002B6D145A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000002B6D145A90B

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction ID: 2b5935daf5c53ffc56f1ddb88c0c2a1f49926bc4f715458bd278e32f542a6a18
Opcode Fuzzy Hash: 96bd17cdbec1199f7060c8e4f9a6f8fd574a155b9e298efd3bd16726f0fb32a2
Instruction Fuzzy Hash: 4131B031609E2B9EE7A59B2C948C6747BE0FB0D360F750749E45AC71E4C778D8E18381

Function 000002B6D1451000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 000002B6D145104B

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: dc5393866abd6c33dd319b1e9c6b7a811fc7c5f695af2b35b47ec71a357ea227
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 380162316086448FFB06EB28D89CBE677E1F76D305F008569E0CAC72A6DEBC8658C741

Function 000002B6D1456F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,000002B6D1456F64), ref: 000002B6D1456F93

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 74a0797a9dfb81763b44740a289c31915afda1d313b31a560a27248f2c06693d
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 81D05E2270030A0FFB187BB859AC33D3761CB49319F0018386903CB6E7CE7E88898702

Function 000002B6D14520B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 000002B6D14520CA

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 000002B6D14540B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 000002B6D145410C

Part of subcall function 000002B6D1455054: __GetUnwindTryBlock.LIBCMT ref: 000002B6D1455097
Part of subcall function 000002B6D1455054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 000002B6D14550BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 000002B6D14541E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 000002B6D1454433
std::bad_alloc::bad_alloc.LIBCMT ref: 000002B6D145453F

Strings

csm, xrefs: 000002B6D1454207
csm, xrefs: 000002B6D145418D
csm, xrefs: 000002B6D1454126

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 48c1e53f531e775990f0d9be91dbff539b65dfe4bc2e413308c046b16ab2d561
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 7BF19F32A18A098BFB54EF68844D7B977E0FB59314F54061DE489C7297EB78D881CB82

Function 000002B6D1454930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002B6D1454958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 000002B6D1454A40

Strings

csm, xrefs: 000002B6D145497A
csm, xrefs: 000002B6D1454A92

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: bb4e8404a58223edbccd87f4b33a88a130b6ad8a900d1629033c2b858a19d65b
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: E4715132714A068BFBA8DB18808D775B7E1FB5C311F58465A9489CB693EBB898C0C746

Function 000002B6D1454580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 000002B6D145462B

Strings

MOC, xrefs: 000002B6D14545F3
RCC, xrefs: 000002B6D14545FB

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 587f43465414dd1b3d20866ee1da96db3d799e2f11420403a121a10830a98c29
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: 68719331618B498FE764DF18D44ABBAB7E0FB9D300F044A5DE489C7152E7B8A5C1C782

Function 000002B6D1452CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 000002B6D1452D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 000002B6D1452DB2

Strings

csm, xrefs: 000002B6D1452D99

Memory Dump Source

Source File: 00000005.00000002.1472454129.000002B6D1451000.00000040.00001000.00020000.00000000.sdmp, Offset: 000002B6D1451000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2b6d1451000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: bcd4fd8dc9a2b07bce40584e9dfff7d2097f0740367030f7f8944fca6abf566e
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 5B717531308A06CBEB68EE5CD48DB7873D1FB58360F10456EE886C7296E768EC918685

Analysis Process: rundll32.exePID: 2216, Parent PID: 2944COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	2

Executed Functions

Function 00000260C52720E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE ref: 00000260C527211D
GetLocaleInfoA.KERNELBASE ref: 00000260C52721E5

Strings

5, xrefs: 00000260C527225D

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: CreateInfoLocaleThread
String ID: 5
API String ID: 899703944-2226203566
Opcode ID: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction ID: 63578b136c440dd781ff112f2ccdc8353653827318cf4967010d958f48963c3a
Opcode Fuzzy Hash: 53e6023148aec332c40765bce66317f8f0d3847e40e453e3a9759d4f43b705e2
Instruction Fuzzy Hash: 2641B2302146448BE71AEF24D8ED7AF77E1FBD9341F40862EE147C21E6DE399809DA42

Function 00000260C5271000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeNameForVolumeMountPointA.KERNEL32 ref: 00000260C527104B

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: Volume$MountNamePoint
String ID:
API String ID: 1269602640-0
Opcode ID: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction ID: e38af264b15f824377dfdaaa6683ba3355f0f9d401628a75b3ebc72a1d76c984
Opcode Fuzzy Hash: 790c3e5c04854700e94b4d90c23288a0a6dd65ca27d7b0edd1071683d7a5972d
Instruction Fuzzy Hash: 230144305085448FFB06EB28D898BD676E1F769305F008669E0CAC72A6DE7D8558C741

Function 00000260C5276F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(?,?,?,?,?,?,?,00000260C5276F64), ref: 00000260C5276F93

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction ID: 2a55f440f2af183f3ac531a7a6af9a677d59a4c0b855dadbfafb264839a88bcc
Opcode Fuzzy Hash: 05666283937c1f08677c7088b7fd24b6f81cfbeb3c6d91aeb7e4e1034e6939b2
Instruction Fuzzy Hash: 6AD05B343003050FFB19BBB499DD72E2691C74A285F0019396513C76D7CD3B9C558703

Function 00000260C52720B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00000260C52720CA

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction ID: f0c8c8b179c2aaeca1855f2f357fd550bc39611e5f4a8834ea67c0cbc9ad4e3c
Opcode Fuzzy Hash: b1c7642022b5e6b88316a0d0a9cd98790ccd3d47a32ec667f729e349532e1fef
Instruction Fuzzy Hash: 1DC0123016180847E708BB34EC595D136E4FB5C304FD089399407C5450E96D82844A82

Non-executed Functions

Function 00000260C52740B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00000260C527410C

Part of subcall function 00000260C5275054: __GetUnwindTryBlock.LIBCMT ref: 00000260C5275097
Part of subcall function 00000260C5275054: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00000260C52750BC

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00000260C52741E4
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00000260C5274433
std::bad_alloc::bad_alloc.LIBCMT ref: 00000260C527453F

Strings

csm, xrefs: 00000260C527418D
csm, xrefs: 00000260C5274207
csm, xrefs: 00000260C5274126

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction ID: 72ae6ad49c49a9bb8b5b6ccc20b97b4e0bf7e28f274f2ab1f13fc5e2f7e5a44a
Opcode Fuzzy Hash: 3ccd74b83f4e218917afb10b63cd26341559b906269fc65534a34942f520602e
Instruction Fuzzy Hash: 99F18E34518A488BEB55EF68C4997AE77E0FB6E350F50035EE489C3292DB31DC91DB82

Function 00000260C5274930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000260C5274958
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00000260C5274A40

Strings

csm, xrefs: 00000260C527497A
csm, xrefs: 00000260C5274A92

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction ID: 44a094064ec661cf13047acb2054040e7b1d0cd6a2b4209a15c4b9e74b22d798
Opcode Fuzzy Hash: e27bbef9eb5f28e076bf3649e7203d2c4342c914ee4d718e56e88106427699c6
Instruction Fuzzy Hash: A671A034504E048BEBA9DB18C0ED36AB3D1FBAD341F64575F9489C7692CB329CA0D782

Function 00000260C5274580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_CallSETranslator.LIBVCRUNTIME ref: 00000260C527462B

Strings

MOC, xrefs: 00000260C52745F3
RCC, xrefs: 00000260C52745FB

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: CallTranslator
String ID: MOC$RCC
API String ID: 3163161869-2084237596
Opcode ID: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction ID: 0db43cf1e2dcd0929205e27b57ac90ebfb4c687a1193fa82fc22602dc17b72f6
Opcode Fuzzy Hash: 9263fe20008c7eccda2d837675211652d6c96f36503d8c2c93f65cb69d80355e
Instruction Fuzzy Hash: BA71C230518B488FE765DF18C48ABAAB7E0FB9E340F044B5EE489C3152D775A991CB86

Function 00000260C5272CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00000260C5272D1B
_IsNonwritableInCurrentImage.LIBCMT ref: 00000260C5272DB2

Strings

csm, xrefs: 00000260C5272D99

Memory Dump Source

Source File: 00000006.00000002.1472814726.00000260C5271000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000260C5271000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_260c5271000_rundll32.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable__except_validate_context_record
String ID: csm
API String ID: 3242871069-1018135373
Opcode ID: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction ID: 51471664804008f50882f8372d33b9529ad6e5a9791549005e2e71ab20a57a37
Opcode Fuzzy Hash: 43c5b6145a0bc1a6e7f1a4078bb18beee855f0c15013e264a2f6e222c992594d
Instruction Fuzzy Hash: 1171C434608A048BEB29EE1CD4D977A73D1FB59390F10466FE886C3296EB21FC619781

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RtJvzroKSq.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: loaddll64.exePID: 2944, Parent PID: 4084

General

Chronological Activities

Analysis Process: conhost.exePID: 3636, Parent PID: 2944

General

Windows Analysis Report
RtJvzroKSq.dll

Function 000002093FD120E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 134
threadCOMMON

Function 000002093FD1A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON

Function 000002093FD11000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 000002093FD16F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 000002093FD120B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 000002093FD140B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 000002093FD14930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 000002093FD14580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 000002093FD12CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 005920E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Function 00591000 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 00596F68 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Function 005920B0 Relevance: 1.5, APIs: 1, Instructions: 14
windowCOMMON

Function 005940B0 Relevance: 12.7, APIs: 4, Strings: 3, Instructions: 463
COMMON

Function 00594930 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 201
COMMON

Function 00592CF0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233
COMMON

Function 00594580 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 233
COMMON

Function 000002B6D14520E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
threadCOMMON

Function 000002B6D145A87C Relevance: 1.6, APIs: 1, Instructions: 104
COMMON