File name: | wwlib.dll |
Full analysis: | https://app.any.run/tasks/e0a784c1-0794-415e-b6be-4c3d36aab9da |
Verdict: | Malicious activity |
Analysis date: | May 25, 2020, 12:40:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
MD5: | 2EC79D0605A4756F4732ABA16EF41B22 |
SHA1: | 304E1EB8AB50B5E28CBBDB280D653EFAE4052E1F |
SHA256: | F6E5A3A32FB3AAF3F2C56EE482998B09A6CED0A60C38088E7153F3CA247AB1CC |
SSDEEP: | 384:w748fJCoV0vl2BkeM7eksD5D2UfNDCXYyxbTM6Cu/BfI/PKgJgGwYgqP0XArAINX:w74SolWtzFtyxfhVAPhWNYRcAV5 |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x3320 |
UninitializedDataSize: | - |
InitializedDataSize: | 40960 |
CodeSize: | 12288 |
LinkerVersion: | 6 |
PEType: | PE32 |
TimeStamp: | 2020:05:25 02:50:46+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-May-2020 00:50:46 |
Detected languages: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x000000D0 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 25-May-2020 00:50:46 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00002330 | 0x00003000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 4.89689 |
.rdata | 0x00004000 | 0x000001B0 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.735969 |
.data | 0x00005000 | 0x000030A0 | 0x00002000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.65732 |
.rsrc | 0x00009000 | 0x00003CD0 | 0x00004000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.07267 |
.reloc | 0x0000D000 | 0x00000248 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 1.21835 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
10001 | 4.44354 | 50 | UNKNOWN | English - United States | SRCDAT |
10002 | 7.35711 | 15315 | UNKNOWN | English - United States | SCRDLL |
KERNEL32.dll |
Title | Ordinal | Address |
---|---|---|
FMain | 1 | 0x00003310 |
fgrrkuofpngobfetgarrxykxycikeqmx | 2 | 0x00001000 |
ilxlynidfnqfrtwosgoxlgaxpfvwdglqpndje | 3 | 0x00001000 |
vosmlbuaakx | 4 | 0x00001000 |
wdCommandDispatch | 5 | 0x00001000 |
wdGetApplicationObject | 6 | 0x00001000 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2112 | "C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\wwlib.dll", FMain | C:\Windows\System32\rundll32.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3996 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\About China's plan for Hong Kong security law.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3032 | "C:\Users\admin\AppData\Local\Temp\hk.exe" | C:\Users\admin\AppData\Local\Temp\hk.exe | rundll32.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe CEF Helper Exit code: 0 Version: 3.9.0.327 | ||||
480 | "C:\ProgramData\AAM UpdatesIIw\AAM Updates.exe" 158 | C:\ProgramData\AAM UpdatesIIw\AAM Updates.exe | hk.exe | |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe CEF Helper Version: 3.9.0.327 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR77EE.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:7B4BBE8BD68BA7D56E5B2E636DA9CA39 | SHA256:CDE2481AE0624C35971B663502E955530727B27F944C23BF17E8FBF6D6233F74 | |||
2112 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\adobeupdate.dat | binary | |
MD5:2351F62176D4F3A6429D9C2FF7D444E2 | SHA256:01C1FD0E5B8B7BBED62BC8A6F7C9CEFF1725D4FF6EE86FA813BF6E70B079812F | |||
2112 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\hk[1].gif | binary | |
MD5:C8E8106E892AEECE07929FAC55B2ACD4 | SHA256:2FB4A17ECE461ADE1DA2B63BB8DB19947636C6AE39C4C674FB4B7D4F90275D20 | |||
2112 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\About China's plan for Hong Kong security law.docx | document | |
MD5:271A96D10DBD8BD7ADF45145C627E93F | SHA256:D8829383DAA887E05292DA9A2B1FABBE5FF89B71F5205E32614BD54B92C3F238 | |||
3032 | hk.exe | C:\ProgramData\AAM UpdatesIIw\adobeupdate.dat | binary | |
MD5:2351F62176D4F3A6429D9C2FF7D444E2 | SHA256:01C1FD0E5B8B7BBED62BC8A6F7C9CEFF1725D4FF6EE86FA813BF6E70B079812F | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~$out China's plan for Hong Kong security law.docx | pgc | |
MD5:CCBA687B57B6728A7C86CBFCE9281545 | SHA256:76E9D91A9A4A794DC8871C36C862B109339DE6B1BF3AF5BD57DBF3A57EA42026 | |||
3996 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex | text | |
MD5:F3B25701FE362EC84616A93A45CE9998 | SHA256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209 | |||
3032 | hk.exe | C:\ProgramData\AAM UpdatesIIw\AAM Updates.exe | executable | |
MD5:C70D8DCE46B4551133ECC58AED84BF0E | SHA256:0459E62C5444896D5BE404C559C834BA455FA5CAE1689C70FC8C61BC15468681 | |||
2112 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\hk.exe | executable | |
MD5:C70D8DCE46B4551133ECC58AED84BF0E | SHA256:0459E62C5444896D5BE404C559C834BA455FA5CAE1689C70FC8C61BC15468681 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2112 | rundll32.exe | GET | 200 | 167.88.180.198:80 | http://167.88.180.198/hk.dat | CA | binary | 349 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2112 | rundll32.exe | 167.88.180.198:80 | — | — | CA | malicious |
480 | AAM Updates.exe | 103.85.24.190:995 | www.systeminfor.com | Starry Network Limited | CN | malicious |
Domain | IP | Reputation |
---|---|---|
www.systeminfor.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
2112 | rundll32.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User Agent (Microsoft Internet Explorer) |