analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

dump1.bin

Full analysis: https://app.any.run/tasks/cb08d70f-8c38-40a9-9e46-528f81f16a51
Verdict: Malicious activity
Analysis date: October 05, 2022, 05:28:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

F0C97DCB65A030A214F6DD33CF4A8566

SHA1:

B23175FA1D3989BAA2E3D8B5C7192554C24ABF18

SHA256:

ED49B23DF7DEFAB3DF933C778183B12C019AB253330090F214F4BB5C2F89BCBC

SSDEEP:

3072:AZPM0OGdUKV10OTed7/kBazzFbULOHOiPyH53ZV6:AZPMnGZVyO6F/M4qyPU53Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • WerFault.exe (PID: 1432)
      • rundll32.exe (PID: 3768)

  • SUSPICIOUS

    • Application launched itself

      • rundll32.exe (PID: 476)

  • INFO

    • Loads main object executable

      • rundll32.exe (PID: 476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2019-Jul-08 14:33:00

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: -
e_cparhdr: 4
e_minalloc: -
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: -
e_oemid: -
e_oeminfo: -
e_lfanew: 248

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2019-Jul-08 14:33:00
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DLL
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
44100
44544
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.54199
.rdata
49152
11100
11264
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.89161
.data
61440
59024
58368
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99241
.z4p395l
122880
51200
51200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.06584
.reloc
176128
1528
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.65359

Imports

KERNEL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe rundll32.exe werfault.exe no specs unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
476"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\dump1.bin.dll", #1C:\Windows\System32\rundll32.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3768"C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\dump1.bin.dll, #1 C:\Windows\System32\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1432C:\Windows\system32\WerFault.exe -u -p 476 -s 632C:\Windows\system32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3248C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2392"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1252vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4076C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1100bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2536bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2684"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\xlnu2x4nr-readme.txtC:\Windows\system32\NOTEPAD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 888
Read events
4 844
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
258
Text files
4
Unknown types
7

Dropped files

PID
Process
Filename
Type
3768rundll32.exeC:\users\admin\.oracle_jre_usage\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\users\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\users\administrator\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\users\admin\documents\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\program files\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\users\admin\links\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\users\admin\pictures\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
3768rundll32.exeC:\recovery\xlnu2x4nr-readme.txtbinary
MD5:35F12B141D6BCAC80CE93C052F6A295D
SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
36
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3768
rundll32.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d1596c48ccff360f
US
compressed
60.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3768
rundll32.exe
94.231.103.59:443
arthakapitalforvaltning.dk
team.blue Denmark A/S
DK
suspicious
3768
rundll32.exe
18.206.50.87:443
placermonticello.com
AMAZON-AES
US
suspicious
3768
rundll32.exe
172.67.193.13:443
gaearoyals.com
CLOUDFLARENET
US
suspicious
3768
rundll32.exe
35.213.151.161:443
trainiumacademy.com
GOOGLE
SG
suspicious
135.125.16.232:443
pourlabretagne.bzh
OVH SAS
FR
suspicious
3768
rundll32.exe
85.214.155.19:443
daveystownhouse.com
Strato AG
DE
suspicious
3768
rundll32.exe
77.72.4.226:443
georgemuncey.com
Krystal Hosting Ltd
GB
malicious
3768
rundll32.exe
50.87.236.3:443
mindsparkescape.com
UNIFIEDLAYER-AS-1
US
suspicious
192.168.100.2:53
whitelisted
3768
rundll32.exe
5.79.100.182:443
molade.nl
LeaseWeb Netherlands B.V.
NL
suspicious

DNS requests

Domain
IP
Reputation
www.microsoft.com
whitelisted
gaearoyals.com
  • 172.67.193.13
  • 104.21.76.103
unknown
georgemuncey.com
  • 77.72.4.226
malicious
arthakapitalforvaltning.dk
  • 94.231.103.59
suspicious
placermonticello.com
  • 18.206.50.87
suspicious
pourlabretagne.bzh
  • 135.125.16.232
suspicious
daveystownhouse.com
  • 85.214.155.19
suspicious
gavelmasters.com
whitelisted
descargandoprogramas.com
malicious
trainiumacademy.com
  • 35.213.151.161
suspicious

Threats

PID
Process
Class
Message
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3768
rundll32.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dump1.bin