stub.dll
This report is generated from a file or URL submitted to this webservice on October 23rd 2019 09:23:00 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Evasive
-
Possibly checks for the presence of a forensics/monitoring tool
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
References suspicious system modules
- details
-
"csrss.exePvUhkp@[8"
"csrss.exe`#p^YbpZb\ b8"
"*'pT+@6w'Zbcr@6w\Bee! v@6wP1b@6wlsass.exe0jhr8xvers\vga0-0%B`B@{(8&(&<Zbjm^@M@6w8T.SY-2@6w-2@6w-2@6w-2Syst@6w-2@6w4u" - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
References suspicious system modules
-
Suspicious Indicators 11
-
Anti-Reverse Engineering
-
PE file has unusual entropy sections
- details
- .stub1 with unusual entropies 7.97202753802
- source
- Static Parser
- relevance
- 10/10
-
PE file has unusual entropy sections
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"VBoxService.exe@3=+Q\8" (Indicator: "vbox")
"VBoxService.exe@3=+Q\8" (Indicator: "vboxservice")
"@6w\*0i@6w|5:wi@6w! v@6w4>item3@6wVBoxTray.exe5gWh H8" (Indicator: "vbox")
"@6w\*0i@6w|5:wi@6w! v@6w4>item3@6wVBoxTray.exe5gWh H8" (Indicator: "vboxtray")
"$VBoxService.exeiZbx812\Wldap3zy0I0IP`+<>>|@6wl/Zb@6w" (Indicator: "vbox")
"$VBoxService.exeiZbx812\Wldap3zy0I0IP`+<>>|@6wl/Zb@6w" (Indicator: "vboxservice") - source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/71 reputation engines marked "https://www.digicert.com" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "wgdi32.pdbrsds@ho5dwlpk.pdbrsdsfxc7usp10.pdbrsdss"
Pattern match: "w@4.rsrc"
Pattern match: "46dx08@dh2.28"
Pattern match: "krone@dadansndagmandagtirsdagonsdagtorsdagfredaglrdag---....smationtol5.9"
Pattern match: "cspanishespaolespaa@aspadomingolunesmartesmircolesjuevesviernessbadoxcccccccdomlunmijueviesbcc.ccccenerofebreromarzomayojuniojulioagosto"
Pattern match: "rfrafrenchfranaisfrancefr@fradimanchelundimardimercredijeudivendredisamedirrrrrrrdim.lun.mar.mer.jeu.ven.sam.rrrrrrrjanvierfvriermarsavrilmaijuinjuilletaotseptembreoctobredcembre"
Pattern match: "nederlandsnetherlandsnederlandnl@anldzondagmaandagdinsdagwoensdagdonderdagvrijdagzaterdaggggggggzovrzag9._teggjanuarifebruarimaartmeiaugustus"
Pattern match: "m@m.em"
Pattern match: "b@n.rsrcpp"
Pattern match: "yail_@r.syl_j"
Pattern match: "6wd@smss.exet"
Pattern match: "6wp1b@6wlsass.exe0jhr8xvers"
Pattern match: "tdx@6whsvchost.exe0"
Pattern match: "_@nrss.sy"
Pattern match: "6wdd@i.k"
Pattern match: "x@6wdsystspoolsv.exe"
Pattern match: "xx@6wsvchost.exe7"
Pattern match: "6wzbsyst@6w4taskhost.exeoldvx8"
Pattern match: "6wl6v@6w8svchost.exe"
Pattern match: "item3@6wvboxtray.exe5gwh" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Network Related
-
Found potential IP address in binary/memory
- details
- Heuristic match: "version="5.1.0.0""
- source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
-
"WmiPrvSE.exep-Zb 8/wg;`;`H0lZb-|@6w" (Indicator: "wmiprvse.exe")
"WmiPrvSE.exeXshCK<~_@8" (Indicator: "wmiprvse.exe") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
-
Unusual Characteristics
-
Entrypoint in PE header is within an uncommon section
- details
- "29a52a1dac4204d05834ea350757699a1622af70c2ffdf707b32c34efeea6d97.bin" has an entrypoint in section ".stub1"
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
Sleep
GetModuleHandleA
GetModuleFileNameW
GetVersionExW
GetProcAddress
LoadLibraryA - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
- "rundll32.exe" wrote bytes "71114b027a3b4a02ab8b02007f950200fc8c0200729602006cc805001ecd47027d264702" to virtual address "0x750F07E4" (part of module "USER32.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Entrypoint in PE header is within an uncommon section
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 9
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
-
Raw size of ".text" is zero
Raw size of ".rdata" is zero
Raw size of ".data" is zero
Raw size of ".gfids" is zero
Raw size of ".stub0" is zero - source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
General
-
Contains PDB pathways
- details
-
"stub.pdb"
"RSDS EkvJrundll32.pdbRSDS+BQMsowntdll.pdbRSDSX\K2wkernel32.pdbRSDSFTKEY^wkernelbase.pdbRSDS)WBzhwuser32.pdbRSDSQywN<]wgdi32.pdbRSDS@Ho5dwlpk.pdbRSDSfxC7usp10.pdbRSDSS\UFv@"
"R)msvcrt.pdbRSDSY%C'O6`+6advapi32.pdbRSDS,N9dLmX<sechost.pdbRSDSi"
")JFXn\wrpcrt4.pdbRSDSh{xUD$cV)8wsspicli.pdbRSDSPA~Kc6"
"Jcryptbase.pdbRSDS {CMVimagehlp.pdbRSDS(CFq>shlwapi.pdbRSDS2cBGapphelp.pdbRSDSA91bAcLayers.pdbRSDStsCshell32.pdbRSDShU!DQ>Y(ole32.pdbRSDSQhKm|oleaut32.pdbRSDSGuO`qJuserenv.pdbRSDS\Mvprofapi.pdbRSDSe9O7<"
"{winspool.pdbRSDS=t"B%@", "J>~RSDS EkvJrundll32.pdb?A?A?A?AbxAX4'8P 8Phd(8HXhxjm(nX}hh%h vec8idMUI<?xml version="1.0" encoding="UTF-8" standalone="yes"?>" - source
- File/Memory
- relevance
- 1/10
-
Spawns new processes
- details
- Spawned process "rundll32.exe" with commandline ""C:\stub.dll",#1" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "rundll32.exe" with commandline ""C:\stub.dll",#1" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample is signed with a certificate
- details
-
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: F5:D5:FD:5B:51:83:60:76:F6:F4:40:DE:D6:6F:B6:B4:CE:8C:7A:BC; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 61:4D:27:1D:91:02:E3:01:69:82:24:87:FD:E5:DE:00:A3:52:B0:1D; see report for more information)
The input sample is signed with a certificate issued by "CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US" (SHA1: 19:A0:9B:5A:36:F4:DD:99:72:7D:F7:83:C1:7A:51:23:1A:56:C1:17; see report for more information) - source
- Certificate Data
- relevance
- 10/10
- ATT&CK ID
- T1116 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains PDB pathways
-
Installation/Persistance
-
Dropped files
- details
- "PKM2611.tmp" has type "MDMP crash report data"
- source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"rundll32.exe" touched file "%WINDIR%\AppPatch\sysmain.sdb"
"rundll32.exe" touched file "C:\Windows\SysWOW64\rundll32.exe"
"rundll32.exe" touched file "C:\Windows\AppPatch\AcLayers.dll"
"rundll32.exe" touched file "C:\Windows\AppPatch\acwow64.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\rundll32.exe.mui"
"rundll32.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"rundll32.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"rundll32.exe" touched file "C:\Windows\SysWOW64\ntdll.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\setupapi.dll.mui"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\ntdll.dll.mui"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\sechost.dll.mui"
"rundll32.exe" touched file "C:\Windows\SysWOW64\sechost.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\rpcrt4.dll.mui"
"rundll32.exe" touched file "C:\Windows\SysWOW64\sspicli.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\cryptbase.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\imagehlp.dll"
"rundll32.exe" touched file "C:\Windows\SysWOW64\en-US\shlwapi.dll.mui"
"rundll32.exe" touched file "C:\Windows\SysWOW64\shlwapi.dll" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Heuristic match: "#$s,s-s.sb"
Heuristic match: "42H`8'.Nu"
Pattern match: "www.digicert.com1$0"
Pattern match: "www.digicert.com110/"
Pattern match: "http://ocsp.digicert.com0C"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O"
Pattern match: "https://www.digicert.com/CPS0"
Pattern match: "http://crl3.digicert.com/sha2-assured-cs-g1.crl05"
Pattern match: "http://crl4.digicert.com/sha2-assured-cs-g1.crl0L"
Pattern match: "http://ocsp.digicert.com0N"
Pattern match: "cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0"
Pattern match: "www.digicert.com1!0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDCA-1.crl08"
Pattern match: "crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w"
Pattern match: "http://ocsp.digicert.com0A"
Pattern match: "cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0"
Pattern match: "http://www.digicert.com/ssl-cps-repository.htm0"
Pattern match: "crl3.digicert.com/DigiCertAssuredIDRootCA.crl0"
Pattern match: "R-cSRTLV.wW/Z0[J]E^W_aa@b=VcHdAe1h[j]k2[l3m9nCoKp^xXzI|Dc~S"
Heuristic match: "z]-u/A_\-Q_p ?n_*'c___q*_R'8Ov*_4______TY_aC__4#`G```D*`aa.aE"
Heuristic match: "z]-u/A_\-Q_p 4n_*'c___q*_R'8Ov*_4______TY_aC__#`G```D*__a.aE"
Pattern match: "dyy.M.dyy/MM/dd"
Pattern match: "dd.MM.yyyydd.MMM.yyyyd.MM.yyd.M.yy//005*7"
Pattern match: "dd.M.yyyy/47"
Pattern match: "MM.dd.yyyyMM.dd.yy//0U:MMMMM"
Heuristic match: "2=>GLyKJQB0qq.AZ"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=36415"
Heuristic match: "Fcs@6w h7syst'x@6w X7Zb@6w D`@6w h0@I@6w le.sy"
Heuristic match: ".@.Hr"
Pattern match: "links.Off/Attempt"
Pattern match: "Vh..Uwm/()V(V*V)V(V)VuAu"
Pattern match: "V6.VWqJ/TZ/ThF"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=92362" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
- "29a52a1dac4204d05834ea350757699a1622af70c2ffdf707b32c34efeea6d97.bin" was detected as "VMProtect v1.70.4-> phpbb3"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1002 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
stub.dll
- Filename
- stub.dll
- Size
- 7.3MiB (7662696 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- Architecture
- WINDOWS
- SHA256
- 29a52a1dac4204d05834ea350757699a1622af70c2ffdf707b32c34efeea6d97
- MD5
- 6d99abda923d32282861e42e92bb58e3
- SHA1
- 33b13292262d0c2ff8dd14e62fba99b54cedc019
- ssdeep
- 196608:So2jSZAIGQxgLaMOqvh2wlP96xd6XhezOsI:v2OZApMuhB16yRezI
- imphash
- 50dd9119faa1a12a024761c12e5c433a
- authentihash
- 799f7bceaae7127a8857b8fc77fda215b2ba32039ecea26a9280bc9d7c8ff833
- Compiler/Packer
- VMProtect v1.70.4-> phpbb3
- PDB Timestamp
- 10/21/2019 20:52:52 (UTC)
- PDB Pathway
- stub.pdb
- PDB GUID
- 2DE6A43064AC4D86B3352762962CAB98
Classification (TrID)
- 42.7% (.EXE) Win32 Executable (generic)
- 19.2% (.EXE) OS/2 Executable (generic)
- 18.9% (.EXE) Generic Win/DOS Executable
- 18.9% (.EXE) DOS Executable Generic
File Metadata
- 1 Unknown Objects (build: 24225)
- 1 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 24225)
- 11 .LIB Files generated with LIB.EXE 11.00 (Visual Studio 2012) (build: 65501)
- 21 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 24225)
- 24 .OBJ Files (COFF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 94 .OBJ Files (OMF) linked with LINK.EXE 6.00 (Visual Studio 6) (build: 24123)
- 22 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 24123)
- 2 .OBJ Files linked with ALIASOBJ.EXE 11.00 (Internal OLDNAMES.LIB Tool) (build: 41118)
- File appears to contain raw COFF/OMF content
- File is the product of a small codebase (0 files)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
File Exports
Name | Ordinal | Address |
---|---|---|
packman | #1 | 0x102f21fc |
File Certificates
Download Certificate File (7.1KiB)Owner | Issuer | Validity | Hashes (MD5, SHA1) |
---|---|---|---|
CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 409181b5fd5bb66755343b56f955008 |
10/22/2013 12:00:00 10/22/2028 12:00:00 |
B6:56:37:6C:3D:2A:CE:BB:A1:88:49:D6:04:36:1B:D5 92:C1:58:8E:85:AF:22:01:CE:79:15:E8:53:8B:49:2F:60:5B:80:C6 |
CN="Riot Games, Inc.", O="Riot Games, Inc.", L=Santa Monica, ST=California, C=US | CN=DigiCert SHA2 Assured ID Code Signing CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: b323ea833805adb47136d642ea9e519 |
03/07/2017 00:00:00 03/10/2020 12:00:00 |
A6:F1:7A:9E:7B:B6:90:F4:66:02:C9:52:9D:07:EE:71 F5:D5:FD:5B:51:83:60:76:F6:F4:40:DE:D6:6F:B6:B4:CE:8C:7A:BC |
CN=DigiCert Timestamp Responder, O=DigiCert, C=US | CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 3019a023aff58b16bd6d5eae617f066 |
10/22/2014 00:00:00 10/22/2024 00:00:00 |
76:D5:EF:42:89:8A:B2:DF:A5:54:51:92:6C:A5:CA:0F 61:4D:27:1D:91:02:E3:01:69:82:24:87:FD:E5:DE:00:A3:52:B0:1D |
CN=DigiCert Assured ID CA-1, OU=www.digicert.com, O=DigiCert Inc, C=US | CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US Serial: 6fdf9039603adea000aeb3f27bbba1b |
11/10/2006 00:00:00 11/10/2021 00:00:00 |
F3:13:AC:54:9D:E5:66:89:58:A4:80:DA:76:97:0E:BC 19:A0:9B:5A:36:F4:DD:99:72:7D:F7:83:C1:7A:51:23:1A:56:C1:17 |
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
-
<Ignored Process>
- rundll32.exe "C:\stub.dll",#1 (PID: 3436)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 1
-
-
PKM2611.tmp
- Size
- 5MiB (5238111 bytes)
- Type
- doc office
- Description
- MDMP crash report data
- Runtime Process
- rundll32.exe (PID: 3436)
- MD5
- 8879d4c628762570b9e7bbbc83dbb743
- SHA1
- f2f88ce1f837a8cd08b702060f731edf7cbdf2ff
- SHA256
- 188415225e49d03e196ea0aa3aef9091587f2834f5fc95b62b0c544235978ada
-
Notifications
-
Runtime
- Although all strings were processed, some are hidden from the report in order to reduce the overall size
- Extracted file "PKM2611.tmp" was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/188415225e49d03e196ea0aa3aef9091587f2834f5fc95b62b0c544235978ada/analysis/1571822816/")
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "string-24" are available in the report
- Not all sources for indicator ID "string-63" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)