Analysis

Category Package Started Completed Duration Options Log
FILE dll 2019-10-09 21:44:11 2019-10-09 21:44:44 33 seconds Show Options Show Log
procdump = 1
2019-10-09 22:44:11,000 [root] INFO: Date set to: 10-09-19, time set to: 21:44:11, timeout set to: 200
2019-10-09 22:44:11,015 [root] DEBUG: Starting analyzer from: C:\qfpsvay
2019-10-09 22:44:11,015 [root] DEBUG: Storing results at: C:\UCYttsSl
2019-10-09 22:44:11,015 [root] DEBUG: Pipe server name: \\.\PIPE\OMiqcSLZFN
2019-10-09 22:44:11,015 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-09 22:44:11,015 [root] INFO: Automatically selected analysis package "dll"
2019-10-09 22:44:11,561 [root] DEBUG: Started auxiliary module Browser
2019-10-09 22:44:11,561 [root] DEBUG: Started auxiliary module Curtain
2019-10-09 22:44:11,561 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-09 22:44:12,138 [modules.auxiliary.digisig] DEBUG: File is not signed.
2019-10-09 22:44:12,138 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module DigiSig
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module Disguise
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module Human
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module Screenshots
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module Sysmon
2019-10-09 22:44:12,138 [root] DEBUG: Started auxiliary module Usage
2019-10-09 22:44:12,138 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL option
2019-10-09 22:44:12,138 [root] INFO: Analyzer: Package modules.packages.dll does not specify a DLL_64 option
2019-10-09 22:44:12,216 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\rundll32.exe" with arguments ""C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll",#1" with pid 332
2019-10-09 22:44:12,216 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2019-10-09 22:44:12,216 [lib.api.process] INFO: 32-bit DLL to inject is C:\qfpsvay\dll\BuhtdewC.dll, loader C:\qfpsvay\bin\HUkKpCw.exe
2019-10-09 22:44:12,247 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\OMiqcSLZFN.
2019-10-09 22:44:12,247 [root] DEBUG: Loader: Injecting process 332 (thread 1308) with C:\qfpsvay\dll\BuhtdewC.dll.
2019-10-09 22:44:12,247 [root] DEBUG: Process image base: 0x002A0000
2019-10-09 22:44:12,247 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\qfpsvay\dll\BuhtdewC.dll.
2019-10-09 22:44:12,247 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x002AE000 - 0x77110000
2019-10-09 22:44:12,247 [root] DEBUG: InjectDllViaIAT: Allocated 0x1b4 bytes for new import table at 0x002B0000.
2019-10-09 22:44:12,247 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-09 22:44:12,247 [root] DEBUG: Successfully injected DLL C:\qfpsvay\dll\BuhtdewC.dll.
2019-10-09 22:44:12,263 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 332
2019-10-09 22:44:14,276 [lib.api.process] INFO: Successfully resumed process with pid 332
2019-10-09 22:44:14,276 [root] INFO: Added new process to list with pid: 332
2019-10-09 22:44:14,400 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-09 22:44:14,400 [root] DEBUG: Process dumps enabled.
2019-10-09 22:44:14,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:44:14,463 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-09 22:44:14,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:44:14,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:44:14,463 [root] INFO: Disabling sleep skipping.
2019-10-09 22:44:14,477 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 332 at 0x747e0000, image base 0x2a0000, stack from 0xb4000-0xc0000
2019-10-09 22:44:14,477 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll",#1.
2019-10-09 22:44:14,477 [root] INFO: Monitor successfully loaded in process with pid 332.
2019-10-09 22:44:14,493 [root] DEBUG: Target DLL loaded at 0x74470000: C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll (0x7000 bytes).
2019-10-09 22:44:14,509 [root] DEBUG: DLL loaded at 0x74230000: C:\Windows\system32\msi (0x240000 bytes).
2019-10-09 22:44:14,555 [root] DEBUG: set_caller_info: Adding region at 0x74470000 to caller regions list (advapi32::RegQueryValueExW).
2019-10-09 22:44:14,555 [root] DEBUG: GetHookCallerBase: thread 1308 (handle 0x0), return address 0x002A133A, allocation base 0x002A0000.
2019-10-09 22:44:14,555 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x74470000.
2019-10-09 22:44:14,555 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2019-10-09 22:44:14,555 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x74470000.
2019-10-09 22:44:14,555 [root] DEBUG: DumpProcess: Module entry point VA is 0x00002ED3.
2019-10-09 22:44:14,555 [root] DEBUG: set_caller_info: Adding region at 0x020A0000 to caller regions list (kernel32::GetSystemTime).
2019-10-09 22:44:14,572 [root] INFO: Added new CAPE file to list with path: C:\UCYttsSl\CAPE\332_14672140121446104102019
2019-10-09 22:44:14,572 [root] DEBUG: DumpProcess: Module image dump success - dump size 0x3600.
2019-10-09 22:44:14,572 [root] DEBUG: DLL unloaded from 0x74470000.
2019-10-09 22:44:14,572 [root] DEBUG: DLL unloaded from 0x75140000.
2019-10-09 22:44:14,572 [root] INFO: Notified of termination of process with pid 332.
2019-10-09 22:44:15,289 [root] INFO: Process with pid 332 has terminated
2019-10-09 22:44:20,359 [root] INFO: Process list is empty, terminating analysis.
2019-10-09 22:44:21,374 [root] INFO: Created shutdown mutex.
2019-10-09 22:44:22,388 [root] INFO: Shutting down package.
2019-10-09 22:44:22,388 [root] INFO: Stopping auxiliary modules.
2019-10-09 22:44:22,388 [root] INFO: Finishing auxiliary modules.
2019-10-09 22:44:22,388 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-09 22:44:22,388 [root] WARNING: File at path "C:\UCYttsSl\debugger" does not exist, skip.
2019-10-09 22:44:22,388 [root] INFO: Analysis completed.

MalScore

1.0

Benign

Machine

Name Label Manager Started On Shutdown On
target-01 target-01 ESX 2019-10-09 21:44:11 2019-10-09 21:44:43

File Details

File Name 089a14f69a31ea5e9a5b375dc0c46e45
File Size 14336 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 089a14f69a31ea5e9a5b375dc0c46e45
SHA1 b120620b5d82b05fee2c2153ceaf305807fa9f79
SHA256 6b146e3a59025d7085127b552494e8aaf76450a19c249bfed0b4c09f328e564f
SHA512 a5640a69abb7bb9b973a4939296ec050c09c390f2eecac6e112796311c4b1f79b168167e98fa6ed6e90bdc8b05508b4fad2cac7ca4a4bfe46a111ba1e007f70f
CRC32 84D452A6
Ssdeep 192:wC0Uy0gtm4uLgCikFxuqGMzSaYy4P79HqaDlA9aIDiyKguKuMu8:9y0c4LxurMzSaYy4P43IIey5uMu8
TrID
  • 38.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
  • 26.3% (.EXE) Win32 Executable (generic) (4508/7/1)
  • 11.8% (.EXE) OS/2 Executable (generic) (2029/13)
  • 11.6% (.EXE) Generic Win/DOS Executable (2002/3)
  • 11.6% (.EXE) DOS Executable Generic (2000/1)
ClamAV None matched
Yara None matched
CAPE Yara None matched
Resubmit sample

Signatures

Creates RWX memory
Possible date expiration check, exits too soon after checking local time
process: rundll32.exe, PID 332

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

PE Information

Image Base 0x10000000
Entry Point 0x10002ed3
Reported Checksum 0x00000000
Actual Checksum 0x0000481f
Minimum OS Version 5.1
Compile Time 2004-01-25 10:28:43
Import Hash 7389da603f01fb559be22a6c5ef7799a
Exported DLL Name MSI.dll

Sections

Name Virtual Address Virtual Size Size of Raw Data Characteristics Entropy
.text 0x00001000 0x00001ee4 0x00002000 IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ 6.07
.rdata 0x00003000 0x0000091e 0x00000a00 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 6.06
.data 0x00004000 0x00000024 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE 0.08
.rsrc 0x00005000 0x00000430 0x00000600 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ 2.48
.reloc 0x00006000 0x000000ac 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_DISCARDABLE|IMAGE_SCN_MEM_READ 2.58

Imports

Library msi.dll:
0x10003038 None
0x1000303c None
0x10003040 None
0x10003044 None
0x10003048 None
0x1000304c None
0x10003050 None
0x10003054 None
0x10003058 None
Library KERNEL32.dll:
0x10003008 TerminateThread
0x1000300c CreateThread
0x10003010 CloseHandle
0x10003014 VirtualProtect
0x10003018 VirtualAlloc
0x1000301c SetLastError
0x10003020 RtlUnwind
0x10003024 WaitForSingleObject
0x10003028 VirtualFree
Library USER32.dll:
0x10003030 wsprintfW
Library ADVAPI32.dll:
0x10003000 RegQueryValueExW

Exports

Ordinal Address Name
1 0x10002e4d StartAction
.text
`.rdata
@.data
.rsrc
@.reloc
SVWUj
+()*H
MSI.dll
StartAction
msi.dll
WaitForSingleObject
VirtualFree
TerminateThread
SetLastError
VirtualAlloc
VirtualProtect
CloseHandle
CreateThread
KERNEL32.dll
wsprintfW
USER32.dll
RegQueryValueExW
ADVAPI32.dll
RtlUnwind
ActionData
SELECT `Data` FROM `Binary` WHERE `Name`='%s%i'
Binary
VS_VERSION_INFO
StringFileInfo
040904e4
CompanyName
Sysinternals - www.sysinternals.com
FileDescription
Sysinternals Process Explorer
FileVersion
InternalName
Sysinternals installer
LegalCopyright
1998-2014 Mark Russinovich
LegalTrademarks
Copyright (C) 1998-2014 Mark Russinovich
OriginalFilename
svcmsi_32.dll
ProductName
Process Explorer
ProductVersion
VarFileInfo
Translation
This file is not on VirusTotal.

Process Tree

  • rundll32.exe 332 "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll",#1

rundll32.exe, PID: 332, Parent PID: 2480
Full Path: C:\Windows\SysWOW64\rundll32.exe
Command Line: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll",#1

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name rundll32.exe
PID 332
Dump Size 13824 bytes
Module Path C:\Users\user\AppData\Local\Temp\77FZjboy6q.dll
Type PE image: 32-bit DLL
MD5 2fce11489e9966a0090acfd5afa0bd0d
SHA1 2a2645f473dba68ba6092ece2bff292171cbbfba
SHA256 2736ae6fa917328c98bdfe112934700870584eb7d700ec4c48f219ca2266e0c0
CRC32 8D6C1BA4
Ssdeep 384:ryEY09FILn0q41urMzSaYy4P7pBpIeyE8uMu8:rhY0rurMzm6tEDj
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 2736ae6fa917328c98bdfe112934700870584eb7d700ec4c48f219ca2266e0c0
Download

Comments



No comments posted

Processing ( 0.304 seconds )

  • 0.085 TrID
  • 0.073 CAPE
  • 0.036 TargetInfo
  • 0.032 Deduplicate
  • 0.032 ProcDump
  • 0.02 Static
  • 0.012 BehaviorAnalysis
  • 0.007 NetworkAnalysis
  • 0.005 AnalysisInfo
  • 0.001 Debug
  • 0.001 Strings

Signatures ( 0.045 seconds )

  • 0.008 antiav_detectreg
  • 0.008 ransomware_files
  • 0.003 persistence_autorun
  • 0.003 antiav_detectfile
  • 0.003 infostealer_ftp
  • 0.003 ransomware_extensions
  • 0.002 browser_security
  • 0.002 infostealer_bitcoin
  • 0.002 infostealer_im
  • 0.001 tinba_behavior
  • 0.001 rat_nanocore
  • 0.001 cerber_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vbox_keys
  • 0.001 geodo_banking_trojan
  • 0.001 modify_proxy
  • 0.001 disables_browser_warn
  • 0.001 infostealer_mail

Reporting ( 0.0 seconds )

Task ID 94386
Mongo ID 5d9e54cec3c009112d67b3da
Cuckoo release 1.3-CAPE
Delete