Analysis

Category Package Started Completed Duration Options Log
FILE dll 2020-03-24 06:09:18 2020-03-24 06:09:46 28 seconds Show Options Show Log
route = internet
procdump = 1
2020-03-24 06:09:19,015 [root] INFO: Date set to: 03-24-20, time set to: 06:09:19, timeout set to: 200
2020-03-24 06:09:19,062 [root] DEBUG: Starting analyzer from: C:\hehomir
2020-03-24 06:09:19,062 [root] DEBUG: Storing results at: C:\yIUBfkdq
2020-03-24 06:09:19,062 [root] DEBUG: Pipe server name: \\.\PIPE\nWzCuWYh
2020-03-24 06:09:19,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-03-24 06:09:19,062 [root] INFO: Automatically selected analysis package "dll"
2020-03-24 06:09:20,092 [root] DEBUG: Started auxiliary module Browser
2020-03-24 06:09:20,092 [root] DEBUG: Started auxiliary module Curtain
2020-03-24 06:09:20,092 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2020-03-24 06:09:20,730 [modules.auxiliary.digisig] DEBUG: File is not signed.
2020-03-24 06:09:20,730 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2020-03-24 06:09:20,730 [root] DEBUG: Started auxiliary module DigiSig
2020-03-24 06:09:20,730 [root] DEBUG: Started auxiliary module Disguise
2020-03-24 06:09:20,730 [root] DEBUG: Started auxiliary module Human
2020-03-24 06:09:20,730 [root] DEBUG: Started auxiliary module Screenshots
2020-03-24 06:09:20,746 [root] DEBUG: Started auxiliary module Sysmon
2020-03-24 06:09:20,746 [root] DEBUG: Started auxiliary module Usage
2020-03-24 06:09:20,746 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2020-03-24 06:09:20,746 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2020-03-24 06:09:20,825 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\MSVCR110.dll",#1" with pid 2220
2020-03-24 06:09:20,825 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-03-24 06:09:20,825 [lib.api.process] INFO: 32-bit DLL to inject is C:\hehomir\dll\LYFAgp.dll, loader C:\hehomir\bin\eJaXKtF.exe
2020-03-24 06:09:20,839 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\nWzCuWYh.
2020-03-24 06:09:20,839 [root] DEBUG: Loader: Injecting process 2220 (thread 1184) with C:\hehomir\dll\LYFAgp.dll.
2020-03-24 06:09:20,839 [root] DEBUG: Process image base: 0x00630000
2020-03-24 06:09:20,839 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\hehomir\dll\LYFAgp.dll.
2020-03-24 06:09:20,855 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-03-24 06:09:20,855 [root] DEBUG: Successfully injected DLL C:\hehomir\dll\LYFAgp.dll.
2020-03-24 06:09:20,855 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2220
2020-03-24 06:09:22,868 [lib.api.process] INFO: Successfully resumed process with pid 2220
2020-03-24 06:09:22,868 [root] INFO: Added new process to list with pid: 2220
2020-03-24 06:09:23,211 [root] DEBUG: Terminate processes on terminate_event enabled.
2020-03-24 06:09:23,211 [root] DEBUG: Process dumps enabled.
2020-03-24 06:09:23,321 [root] INFO: Disabling sleep skipping.
2020-03-24 06:09:23,321 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-03-24 06:09:23,321 [root] INFO: Disabling sleep skipping.
2020-03-24 06:09:23,321 [root] INFO: Disabling sleep skipping.
2020-03-24 06:09:23,321 [root] INFO: Disabling sleep skipping.
2020-03-24 06:09:23,321 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2220 at 0x747a0000, image base 0x630000, stack from 0xd4000-0xe0000
2020-03-24 06:09:23,335 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MSVCR110.dll",#1.
2020-03-24 06:09:23,335 [root] INFO: Monitor successfully loaded in process with pid 2220.
2020-03-24 06:09:23,351 [root] DEBUG: Target DLL loaded at 0x746D0000: C:\Users\user\AppData\Local\Temp\MSVCR110.dll (0x6000 bytes).
2020-03-24 06:09:23,368 [root] DEBUG: DLL loaded at 0x74E40000: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90 (0xa3000 bytes).
2020-03-24 06:09:26,487 [modules.auxiliary.human] INFO: Found button "Close the program", clicking it
2020-03-24 06:09:27,516 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2220
2020-03-24 06:09:27,516 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00630000.
2020-03-24 06:09:27,516 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:09:27,516 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00630000.
2020-03-24 06:09:27,516 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000178C.
2020-03-24 06:09:27,516 [root] INFO: Added new CAPE file to list with path: C:\yIUBfkdq\CAPE\2220_1211167102791324232020
2020-03-24 06:09:27,516 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xaa00.
2020-03-24 06:09:27,516 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x746D0000.
2020-03-24 06:09:27,516 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-03-24 06:09:27,516 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x746D0000.
2020-03-24 06:09:27,516 [root] DEBUG: DumpProcess: Module entry point VA is 0x0000181F.
2020-03-24 06:09:27,516 [root] INFO: Added new CAPE file to list with path: C:\yIUBfkdq\CAPE\2220_11746815602791324232020
2020-03-24 06:09:27,532 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x2800.
2020-03-24 06:09:27,532 [root] INFO: Notified of termination of process with pid 2220.
2020-03-24 06:09:33,007 [root] INFO: Process list is empty, terminating analysis.
2020-03-24 06:09:34,022 [root] INFO: Created shutdown mutex.
2020-03-24 06:09:35,036 [root] INFO: Shutting down package.
2020-03-24 06:09:35,036 [root] INFO: Stopping auxiliary modules.
2020-03-24 06:09:35,036 [root] INFO: Finishing auxiliary modules.
2020-03-24 06:09:35,036 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-03-24 06:09:35,036 [root] WARNING: File at path "C:\yIUBfkdq\debugger" does not exist, skip.
2020-03-24 06:09:35,036 [root] INFO: Analysis completed.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-02 target-02 ESX 2020-03-24 06:09:18 2020-03-24 06:09:44

File Details

File Name MSVCR110.dll
File Size 9728 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 79bef92272c7d1c6236a03c26a0804cc
SHA1 a72a4db4188b49942b442379e1b4f30049d2d2f7
SHA256 d784a12fec628860433c28caa353bb52923f39d072437393629039fa4b2ec8ad
SHA512 68610258284fb154c29105bf565b07507b63c745d9f6a22278f33e3374bfe433c2f282faf3dcd81d7b5f898caa70a1410478377821151de6ccf1dc775a2dc952
CRC32 EB447848
Ssdeep 192:y14sMryjQUic5kslkhivLqcnlo2+9r3X+EqoIoOLXi/sW6Hr6j:y+1UiK2Ezqc+/9TuVoOTikrO
TrID
  • 61.7% (.EXE) Win64 Executable (generic) (27625/18/4)
  • 14.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 10.0% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 4.5% (.EXE) OS/2 Executable (generic) (2029/13)
  • 4.4% (.EXE) Generic Win/DOS Executable (2002/3)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 2220

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\MSVCR110.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\MSVCR110.dll.124.Manifest
C:\Windows\SysWOW64\rundll32.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
C:\Windows
C:\Windows\winsxs
C:\Users\user\AppData\Local\Temp\MSVCR110.dll
C:\Users\user\AppData\Local\Temp\MSVCR110.dll.123.Manifest
C:\Users\user\AppData\Local\Temp\MSVCR110.dll.124.Manifest
C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\msvcr90.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-GB
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-GB
kernel32.dll.FlsAlloc
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.FlsFree
kernel32.dll.IsProcessorFeaturePresent
kernel32.dll.FindActCtxSectionStringW
msvcr110.dll.#1

PE Information

Image Base 0x10000000
Entry Point 0x1000181f
Reported Checksum 0x0000de79
Actual Checksum 0x0000de79
Minimum OS Version 5.0
Compile Time 2017-12-27 03:13:30
Import Hash b2de24ccb6e704a3d804236934928d5b
Exported DLL Name MSVCR110.dll

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00000d78 0x00000e00 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.03
.rdata 0x00002000 0x00000b1e 0x00000c00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 4.87
.data 0x00003000 0x00000368 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.28
.rsrc 0x00004000 0x000002b0 0x00000400 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 5.20
.reloc 0x00005000 0x000001b0 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 5.20

Imports

Library KERNEL32.dll:
0x10002000 ExitProcess
0x10002004 CreateFileA
0x10002008 GetFileSize
0x1000200c ReadFile
0x10002010 VirtualAlloc
0x10002014 GetModuleFileNameA
0x10002018 CloseHandle
0x10002020 GetCurrentProcessId
0x10002024 GetCurrentThreadId
0x10002028 GetTickCount
0x10002030 IsDebuggerPresent
0x1000203c GetCurrentProcess
0x10002040 TerminateProcess
0x10002048 Sleep
0x1000204c InterlockedExchange
Library USER32.dll:
0x100020f0 wsprintfA
Library MSVCR90.dll:
0x10002054 _crt_debugger_hook
0x1000205c _unlock
0x10002060 __dllonexit
0x10002064 _lock
0x10002068 _onexit
0x10002070 __CppXcptFilter
0x10002074 _adjust_fdiv
0x10002078 _amsg_exit
0x1000207c _initterm_e
0x10002080 _initterm
0x10002084 _decode_pointer
0x10002088 _encoded_null
0x1000208c _malloc_crt
0x10002090 _encode_pointer
0x10002094 malloc
0x10002098 free
0x1000209c srand
0x100020a4 ??2@YAPAXI@Z
0x100020a8 ??3@YAXPAX@Z
0x100020ac ?terminate@@YAXXZ
0x100020b0 _XcptFilter
0x100020b4 __set_app_type
0x100020b8 __setusermatherr
0x100020bc __wgetmainargs
0x100020c0 _calloc_crt
0x100020c4 _cexit
0x100020c8 _configthreadlocale
0x100020cc _controlfp_s
0x100020d0 _exit
0x100020d4 _invoke_watson
0x100020d8 _purecall
0x100020dc _snwprintf_s
0x100020e0 exit
0x100020e4 memcpy
0x100020e8 memset

Exports

Ordinal Address Name
1 0x10001d72 ??1type_info@@UAE@XZ
2 0x10001d00 ??2@YAPAXI@Z
3 0x10001d06 ??3@YAXPAX@Z
9 0x10001d0c ?terminate@@YAXXZ
10 0x10001d12 _XcptFilter
4 0x1000145b __crtGetShowWindowMode
5 0x10001469 __crtSetUnhandledExceptionFilter
6 0x10001469 __crtTerminateProcess
7 0x10001469 __crtUnhandledException
11 0x10001cee __dllonexit
12 0x10001d18 __set_app_type
13 0x10001d1e __setusermatherr
14 0x10001d24 __wgetmainargs
15 0x10001bba _amsg_exit
16 0x10001d2a _calloc_crt
17 0x10001d30 _cexit
18 0x10003344 _commode
19 0x10001d36 _configthreadlocale
20 0x10001d3c _controlfp_s
21 0x10001cdc _crt_debugger_hook
22 0x10001cfa _except_handler4_common
23 0x10001d42 _exit
24 0x10003348 _fmode
25 0x10001bae _initterm
26 0x10001bb4 _initterm_e
27 0x10001d48 _invoke_watson
28 0x10001cf4 _lock
29 0x10001954 _onexit
30 0x10001d4e _purecall
31 0x10001d54 _snwprintf_s
32 0x10001ce8 _unlock
8 0x10001469 _wcmdln
33 0x10001d5a exit
34 0x10001488 free
35 0x1000148e malloc
36 0x10001d60 memcpy
37 0x10001d66 memset
38 0x10001d6c srand
vzBavRich{Bav
.text
`.rdata
@.data
.rsrc
@.reloc
.dath
6Da2aw7#5<)u+=ie
%6e2euiGFfuw3&:?
ExitProcess
CreateFileA
GetFileSize
ReadFile
VirtualAlloc
GetModuleFileNameA
CloseHandle
KERNEL32.dll
wsprintfA
USER32.dll
malloc
MSVCR90.dll
_encode_pointer
_malloc_crt
_encoded_null
_decode_pointer
_initterm
_initterm_e
_amsg_exit
_adjust_fdiv
__CppXcptFilter
_crt_debugger_hook
__clean_type_info_names_internal
_unlock
__dllonexit
_lock
_onexit
_except_handler4_common
InterlockedExchange
Sleep
InterlockedCompareExchange
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
??2@YAPAXI@Z
??3@YAXPAX@Z
?terminate@@YAXXZ
_XcptFilter
__set_app_type
__setusermatherr
__wgetmainargs
_calloc_crt
_cexit
_configthreadlocale
_controlfp_s
_exit
_invoke_watson
_purecall
_snwprintf_s
memcpy
memset
srand
?_type_info_dtor_internal_method@type_info@@QAEXXZ
MSVCR110.dll
??1type_info@@UAE@XZ
??2@YAPAXI@Z
??3@YAXPAX@Z
__crtGetShowWindowMode
__crtSetUnhandledExceptionFilter
__crtTerminateProcess
__crtUnhandledException
_wcmdln
?terminate@@YAXXZ
_XcptFilter
__dllonexit
__set_app_type
__setusermatherr
__wgetmainargs
_amsg_exit
_calloc_crt
_cexit
_commode
_configthreadlocale
_controlfp_s
_crt_debugger_hook
_except_handler4_common
_exit
_fmode
_initterm
_initterm_e
_invoke_watson
_lock
_onexit
_purecall
_snwprintf_s
_unlock
malloc
memcpy
memset
srand
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
= =&=,=2=8=>=D=J=P=V=\=b=h=n=t=
This file is not on VirusTotal.

Process Tree

  • rundll32.exe 2220 "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MSVCR110.dll",#1

rundll32.exe, PID: 2220, Parent PID: 2584
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\MSVCR110.dll",#1

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 2220
Dump Size 43520 bytes
Module Path C:\Users\user\AppData\Local\Temp\MSVCR110.dll
Type PE image: 32-bit executable
MD5 da6fbb21fca12fe8937c67e15eeb8cff
SHA1 f182226e6c51a48afc9c74c34846525dd66ef32c
SHA256 e249ceef839632a68fd06703c815362ebd4cb98a51bb59399b6bc1ee120d1ad3
CRC32 76A5C626
Ssdeep 768:4pD0ytFovdiauSRqbSEln5IyYpamDjobj8S:450g6vdISRqln5IUmDjoX
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename e249ceef839632a68fd06703c815362ebd4cb98a51bb59399b6bc1ee120d1ad3
Process Name rundll32.exe
PID 2220
Dump Size 10240 bytes
Module Path C:\Users\user\AppData\Local\Temp\MSVCR110.dll
Type PE image: 32-bit DLL
MD5 8a98ff5a523144006812e3557a2077a3
SHA1 e965ecdd97e49e210a757641f467de3987429dcd
SHA256 aaa0378ce90c1ab44b111aad51d6dbf0cf3ef913690c84eef2f29e386a901a03
CRC32 036AC38F
Ssdeep 192:yT4svpAbDW5u0rki9s1WLI2+9r3X+EqoIoOLXi/sW6HQ:y0jDW3hmQE/9TuVoOTikr
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename aaa0378ce90c1ab44b111aad51d6dbf0cf3ef913690c84eef2f29e386a901a03

Comments



No comments posted

Processing ( 0.646 seconds )

  • 0.172 CAPE
  • 0.131 TargetInfo
  • 0.118 ProcDump
  • 0.088 Deduplicate
  • 0.082 TrID
  • 0.027 Static
  • 0.014 BehaviorAnalysis
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 Strings

Signatures ( 0.049 seconds )

  • 0.008 ransomware_files
  • 0.007 antiav_detectreg
  • 0.004 ransomware_extensions
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.002 masquerade_process_name
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 betabot_behavior
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail
  • 0.001 modify_security_center_warnings
  • 0.001 modify_uac_prompt

Reporting ( 0.0 seconds )

Task ID 131452
Mongo ID 5e79a42c0986a12c9f6d5a37
Cuckoo release 1.3-CAPE
Delete