File name:

netdrv.dll

Full analysis: https://app.any.run/tasks/3fb2f64f-ae4d-467f-9f5f-0fd3693242b8
Verdict: Malicious activity
Analysis date: July 30, 2024, 13:36:56
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5:

70813F495540E6736518ECC4158861D8

SHA1:

06216567A7D1F770291E610E41F9D5E565531A12

SHA256:

40C325544CF7D41915F19C02A128C44E14CC4CAAFD47D0B12B59707E4B8FF4F8

SSDEEP:

98304:/7kjeZNPKWGTH0qvidY/ptfraxX2IzEpNBqTwequTNrsaBAneqGUZzYPIVkqYWnx:L5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • rundll32.exe (PID: 1128)

  • SUSPICIOUS

    • Uses NSLOOKUP.EXE to check DNS info

      • powershell.exe (PID: 5728)

    • Checks for external IP

      • nslookup.exe (PID: 5832)

    • Starts POWERSHELL.EXE for commands execution

      • rundll32.exe (PID: 1128)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 5392)

    • UPX packer has been detected

      • rundll32.exe (PID: 1128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (82.1)
.exe | Clipper DOS Executable (5.9)
.exe | Generic Win/DOS Executable (5.9)
.exe | DOS Executable Generic (5.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:03:14 06:11:52+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Large address aware, DLL
PEType: PE32+
LinkerVersion: 8
CodeSize: 1192960
InitializedDataSize: 2073600
UninitializedDataSize: -
EntryPoint: 0x123e10
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 2.23.0.12
ProductVersionNumber: 2.1.1.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: -
CompanyName: AhnLab, Inc.
FileDescription: MeD Engine Extention
FileVersion: 2.23.0.12
InternalName: MeDExt
LegalCopyright: Copyright (C) AhnLab, Inc. 1988-2012. All rights reserved
LegalTrademarks: -
OriginalFileName: MeDExt.dll
PrivateBuild: -
ProductName: AhnLab Smart Defense
ProductVersion: 2.1.1.1
SpecialBuild: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
9
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT rundll32.exe slui.exe powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs nslookup.exe ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\netdrv.dll, TestC:\Windows\System32\rundll32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4496"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5728powershell.exe -command "& nslookup myip.opendns.com resolver1.opendns.com"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
5832"C:\WINDOWS\system32\nslookup.exe" myip.opendns.com resolver1.opendns.comC:\Windows\System32\nslookup.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\nslookup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
7076powershell.exe -command "get-wmiobject win32_computersystem | select-object -expandproperty domain"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 522
Read events
10 522
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tlwpskda.rzn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qe5kawbf.dze.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_afsr4ahd.vzx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w14sbax0.pux.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7076powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:559E97A3DC6E5FF764B865EB40C184AF
SHA256:3B0B2253AD2ED5E27BEDB6BE3C30E1C8AB36F89A3098A971CFC772E5F3C3FC2A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
72
DNS requests
22
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2424
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.160:443
Akamai International B.V.
DE
unknown
131.253.33.254:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
20.83.72.98:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2216
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4424
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4424
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.73
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
www.bing.com
  • 2.23.209.171
  • 2.23.209.167
  • 2.23.209.157
  • 2.23.209.158
  • 2.23.209.160
  • 2.23.209.169
  • 2.23.209.162
  • 2.23.209.168
  • 2.23.209.161
whitelisted
fp-afd-nocache-ccp.azureedge.net
  • 13.107.246.45
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
self.events.data.microsoft.com
  • 20.50.80.209
whitelisted

Threats

PID
Process
Class
Message
5832
nslookup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
5832
nslookup.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup Domain (myip .opendns .com in DNS lookup)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
netdrv.dll