File name: | dump1.bin |
Full analysis: | https://app.any.run/tasks/cb08d70f-8c38-40a9-9e46-528f81f16a51 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 05:28:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | F0C97DCB65A030A214F6DD33CF4A8566 |
SHA1: | B23175FA1D3989BAA2E3D8B5C7192554C24ABF18 |
SHA256: | ED49B23DF7DEFAB3DF933C778183B12C019AB253330090F214F4BB5C2F89BCBC |
SSDEEP: | 3072:AZPM0OGdUKV10OTed7/kBazzFbULOHOiPyH53ZV6:AZPMnGZVyO6F/M4qyPU53Z |
.dll | | | Win32 Dynamic Link Library (generic) (43.5) |
---|---|---|
.exe | | | Win32 Executable (generic) (29.8) |
.exe | | | Generic Win/DOS Executable (13.2) |
.exe | | | DOS Executable Generic (13.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2019-Jul-08 14:33:00 |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 248 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 5 |
TimeDateStamp: | 2019-Jul-08 14:33:00 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 44100 | 44544 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.54199 |
.rdata | 49152 | 11100 | 11264 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.89161 |
.data | 61440 | 59024 | 58368 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.99241 |
.z4p395l | 122880 | 51200 | 51200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.06584 |
.reloc | 176128 | 1528 | 1536 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.65359 |
KERNEL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
476 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\dump1.bin.dll", #1 | C:\Windows\System32\rundll32.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3768 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\AppData\Local\Temp\dump1.bin.dll, #1 | C:\Windows\System32\rundll32.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1432 | C:\Windows\system32\WerFault.exe -u -p 476 -s 632 | C:\Windows\system32\WerFault.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3248 | C:\Windows\system32\wbem\unsecapp.exe -Embedding | C:\Windows\system32\wbem\unsecapp.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Sink to receive asynchronous callbacks for WMI client application Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) | ||||
2392 | "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\System32\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
1252 | vssadmin.exe Delete Shadows /All /Quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
4076 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1100 | bcdedit /set {default} recoveryenabled No | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2536 | bcdedit /set {default} bootstatuspolicy ignoreallfailures | C:\Windows\system32\bcdedit.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2684 | "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\xlnu2x4nr-readme.txt | C:\Windows\system32\NOTEPAD.EXE | — | Explorer.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3768 | rundll32.exe | C:\users\admin\.oracle_jre_usage\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\users\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\users\administrator\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\users\admin\documents\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\program files\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\users\admin\links\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\users\admin\pictures\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F | |||
3768 | rundll32.exe | C:\recovery\xlnu2x4nr-readme.txt | binary | |
MD5:35F12B141D6BCAC80CE93C052F6A295D | SHA256:B192E22D6275294DB2641ABD02328662C08FD6529EFE30B09E53D463DFAA6F3F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3768 | rundll32.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d1596c48ccff360f | US | compressed | 60.9 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3768 | rundll32.exe | 94.231.103.59:443 | arthakapitalforvaltning.dk | team.blue Denmark A/S | DK | suspicious |
3768 | rundll32.exe | 18.206.50.87:443 | placermonticello.com | AMAZON-AES | US | suspicious |
3768 | rundll32.exe | 172.67.193.13:443 | gaearoyals.com | CLOUDFLARENET | US | suspicious |
3768 | rundll32.exe | 35.213.151.161:443 | trainiumacademy.com | GOOGLE | SG | suspicious |
— | — | 135.125.16.232:443 | pourlabretagne.bzh | OVH SAS | FR | suspicious |
3768 | rundll32.exe | 85.214.155.19:443 | daveystownhouse.com | Strato AG | DE | suspicious |
3768 | rundll32.exe | 77.72.4.226:443 | georgemuncey.com | Krystal Hosting Ltd | GB | malicious |
3768 | rundll32.exe | 50.87.236.3:443 | mindsparkescape.com | UNIFIEDLAYER-AS-1 | US | suspicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
3768 | rundll32.exe | 5.79.100.182:443 | molade.nl | LeaseWeb Netherlands B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
gaearoyals.com |
| unknown |
georgemuncey.com |
| malicious |
arthakapitalforvaltning.dk |
| suspicious |
placermonticello.com |
| suspicious |
pourlabretagne.bzh |
| suspicious |
daveystownhouse.com |
| suspicious |
gavelmasters.com |
| whitelisted |
descargandoprogramas.com |
| malicious |
trainiumacademy.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
3768 | rundll32.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |