Analysis

Category Package Started Completed Duration Options Log
FILE dll 2019-11-08 19:44:41 2019-11-08 19:45:07 26 seconds Show Options Show Log
procdump = 1
2019-11-08 19:44:42,000 [root] INFO: Date set to: 11-08-19, time set to: 19:44:42, timeout set to: 200
2019-11-08 19:44:42,015 [root] DEBUG: Starting analyzer from: C:\qiaeos
2019-11-08 19:44:42,015 [root] DEBUG: Storing results at: C:\dZNytwg
2019-11-08 19:44:42,015 [root] DEBUG: Pipe server name: \\.\PIPE\agonCa
2019-11-08 19:44:42,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-11-08 19:44:42,015 [root] INFO: Automatically selected analysis package "dll"
2019-11-08 19:44:42,421 [root] DEBUG: Started auxiliary module Browser
2019-11-08 19:44:42,421 [root] DEBUG: Started auxiliary module Curtain
2019-11-08 19:44:42,421 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-11-08 19:44:42,701 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-11-08 19:44:42,701 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module DigiSig
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module Disguise
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module Human
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module Screenshots
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module Sysmon
2019-11-08 19:44:42,701 [root] DEBUG: Started auxiliary module Usage
2019-11-08 19:44:42,701 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2019-11-08 19:44:42,701 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2019-11-08 19:44:42,858 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll",#1" with pid 1836
2019-11-08 19:44:42,858 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-11-08 19:44:42,858 [lib.api.process] INFO: 32-bit DLL to inject is C:\qiaeos\dll\jUrLtVc.dll, loader C:\qiaeos\bin\WTZcKMz.exe
2019-11-08 19:44:42,872 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\agonCa.
2019-11-08 19:44:42,872 [root] DEBUG: Loader: Injecting process 1836 (thread 332) with C:\qiaeos\dll\jUrLtVc.dll.
2019-11-08 19:44:42,872 [root] DEBUG: Process image base: 0x00CB0000
2019-11-08 19:44:42,872 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\qiaeos\dll\jUrLtVc.dll.
2019-11-08 19:44:42,872 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x00CBE000 - 0x77110000
2019-11-08 19:44:42,872 [root] DEBUG: InjectDllViaIAT: Allocated 0x1b0 bytes for new import table at 0x00CC0000.
2019-11-08 19:44:42,872 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-11-08 19:44:42,872 [root] DEBUG: Successfully injected DLL C:\qiaeos\dll\jUrLtVc.dll.
2019-11-08 19:44:42,888 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1836
2019-11-08 19:44:44,901 [lib.api.process] INFO: Successfully resumed process with pid 1836
2019-11-08 19:44:44,901 [root] INFO: Added new process to list with pid: 1836
2019-11-08 19:44:45,026 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-11-08 19:44:45,026 [root] DEBUG: Process dumps enabled.
2019-11-08 19:44:45,042 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-11-08 19:44:45,042 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 1836 at 0x747e0000, image base 0xcb0000, stack from 0x84000-0x90000
2019-11-08 19:44:45,042 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll",#1.
2019-11-08 19:44:45,042 [root] INFO: Monitor successfully loaded in process with pid 1836.
2019-11-08 19:44:45,056 [root] DEBUG: Target DLL loaded at 0x50000000: C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll (0x5000 bytes).
2019-11-08 19:44:45,056 [root] DEBUG: DLL loaded at 0x75D00000: C:\Windows\syswow64\WS2_32 (0x35000 bytes).
2019-11-08 19:44:45,056 [root] DEBUG: DLL loaded at 0x75130000: C:\Windows\syswow64\NSI (0x6000 bytes).
2019-11-08 19:44:45,072 [root] DEBUG: GetHookCallerBase: thread 332 (handle 0x0), return address 0x00CB133A, allocation base 0x00CB0000.
2019-11-08 19:44:45,072 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x50000000.
2019-11-08 19:44:45,072 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-11-08 19:44:45,072 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x50000000.
2019-11-08 19:44:45,072 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001F05.
2019-11-08 19:44:45,072 [root] DEBUG: set_caller_info: Adding region at 0x02140000 to caller regions list (kernel32::GetSystemTime).
2019-11-08 19:44:45,072 [root] INFO: Added new CAPE file to list with path: C:\dZNytwg\CAPE\1836_4228758464524396112019
2019-11-08 19:44:45,072 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2400.
2019-11-08 19:44:45,072 [root] DEBUG: DLL unloaded from 0x50000000.
2019-11-08 19:44:45,088 [root] DEBUG: DLL unloaded from 0x75140000.
2019-11-08 19:44:45,088 [root] INFO: Notified of termination of process with pid 1836.
2019-11-08 19:44:50,984 [root] INFO: Process list is empty, terminating analysis.
2019-11-08 19:44:51,999 [root] INFO: Created shutdown mutex.
2019-11-08 19:44:53,013 [root] INFO: Shutting down package.
2019-11-08 19:44:53,013 [root] INFO: Stopping auxiliary modules.
2019-11-08 19:44:53,013 [root] INFO: Finishing auxiliary modules.
2019-11-08 19:44:53,013 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-11-08 19:44:53,013 [root] WARNING: File at path "C:\dZNytwg\debugger" does not exist, skip.
2019-11-08 19:44:53,013 [root] INFO: Analysis completed.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-11-08 19:44:41 2019-11-08 19:45:07

File Details

File Name 3c1a8991e96f4c56ae3e90fb6f0ae679
File Size 20480 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 3c1a8991e96f4c56ae3e90fb6f0ae679
SHA1 41d72fa626cccadcd5aae3a0a652043e4a4f7b4a
SHA256 9611d0b1837e933b9d938e19791b757aa56669ec75b8fd671bdd1371eede03bb
SHA512 426f9efc955ec2c6c159f776c23f4784b989b6d216e860c7366c8620585e5c42c87c421906768355cd2b54773a46511050c3cce24af3f6fd0bf34e95a5dca19a
CRC32 00CE2D15
Ssdeep 192:ZcMdjzlmeno/hERhFXmIoozoZSiLpeaencO+MX1gcT:OMdjzIWRhFWIoozo4iFGnhg
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 1836

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.124.Manifest
C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll.2.Manifest
C:\Windows\SysWOW64\rundll32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\vhbKYbAt6rowP4.dll
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\UseFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\vhbKYbAt6rowP4.dll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
vhbkybat6rowp4.dll.#1

PE Information

Image Base 0x50000000
Entry Point 0x50001f05
Reported Checksum 0x00000000
Actual Checksum 0x0000c932
Minimum OS Version 4.0
Compile Time 2013-02-04 13:19:53
Import Hash 6772345dfdfef239defde216b3d731f0
Exported DLL Name rkctl_Win32.dll

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001000 0x00001000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.05
.rdata 0x00002000 0x000003fb 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 1.72
.data 0x00003000 0x00000af4 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 5.86
.reloc 0x00004000 0x00000414 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 1.03

Imports

Library WS2_32.dll:
0x5000202c ntohl
0x50002030 htonl
Library msvcrt.dll:
0x50002038 _beginthreadex
0x5000203c _adjust_fdiv
0x50002040 malloc
0x50002044 _vsnprintf
0x50002048 fopen
0x5000204c vfprintf
0x50002050 fclose
0x50002054 free
0x50002058 memcpy
0x5000205c _initterm
Library KERNEL32.dll:
0x50002000 GetProcAddress
0x50002004 SetErrorMode
0x5000200c Sleep
0x50002010 GetExitCodeThread
0x50002014 WaitForSingleObject
0x50002018 SetEvent
0x5000201c CloseHandle
0x50002020 CreateEventA
0x50002024 GetLastError

Exports

Ordinal Address Name
1 0x500011d0 ModuleCommand
2 0x500015f0 ModuleStart
3 0x50001180 ModuleStop
.text
`.rdata
@.data
.reloc
jRhp:
jRhp:
t?hD:
}@hp!
tc_cancel
config_read_uint32
tr_free
tr_alloc
tc_send_request
tr_write_pipe
snake_modules_command
t_setoptbin
tc_free_data
tc_get_reply
tc_read_request_pipe
tc_send_request_bufs
t_close
tc_socket
snake_free
snake_alloc
\\.\pipe\%s
WS2_32.dll
memcpy
fclose
vfprintf
fopen
_vsnprintf
malloc
_beginthreadex
msvcrt.dll
_initterm
_adjust_fdiv
GetLastError
GetProcAddress
SetErrorMode
CreateEventA
CloseHandle
SetEvent
WaitForSingleObject
GetExitCodeThread
Sleep
DisableThreadLibraryCalls
KERNEL32.dll
rkctl_Win32.dll
ModuleCommand
ModuleStart
ModuleStop
This file is not on VirusTotal.

Process Tree

  • rundll32.exe 1836 "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll",#1

rundll32.exe, PID: 1836, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll",#1

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 1836
Dump Size 9216 bytes
Module Path C:\Users\user\AppData\Local\Temp\vhbKYbAt6rowP4.dll
Type PE image: 32-bit DLL
MD5 9297b9327d0eca316d658e027a662e76
SHA1 c8c894ec4bfeeeabd5f380fc9aab2221d02d634f
SHA256 92dc27e0db11b56b0aae26490bcf877ae5f49aab5b1754dba699f4a72a1ff751
CRC32 CD138AB7
Ssdeep 192:ZcMdjzlmeno/hERhFXm0oozoZSiLpeaencO+MX1gcTH:OMdjzIWRhFW0oozo4iFGnhgy
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 92dc27e0db11b56b0aae26490bcf877ae5f49aab5b1754dba699f4a72a1ff751

Comments



No comments posted

Processing ( 0.406 seconds )

  • 0.114 TrID
  • 0.103 CAPE
  • 0.056 TargetInfo
  • 0.049 ProcDump
  • 0.031 Deduplicate
  • 0.026 Static
  • 0.013 BehaviorAnalysis
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 Strings

Signatures ( 0.05 seconds )

  • 0.008 antiav_detectreg
  • 0.008 ransomware_files
  • 0.004 infostealer_ftp
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 ransomware_extensions
  • 0.002 antianalysis_detectreg
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 infostealer_mail
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 masquerade_process_name

Reporting ( 0.0 seconds )

Task ID 108499
Mongo ID 5dc5c5c503bfea2d656a0254
Cuckoo release 1.3-CAPE
Delete