Try VMRay Platform
Malicious
Classifications

Downloader

Threat Names

Mal/Generic-S C2/Generic-A Emotet Mal/HTMLGen-A

Dynamic Analysis Report

Created on 2023-04-21T13:16:39+00:00

{3656F910-4433-438C-BE65-BC03A0BBE048}.wsf

Windows Script File
...

Remarks (2/2)

(0x02000050): This analysis has been updated with the latest reputation and static analysis results from the original analysis with the ID #13672024.

(0x0200000E): The overall sleep time of all monitored processes was truncated from "1 minute" to "10 seconds" to reveal dormant functionality.

Filters:
File Name Category Type Verdict Actions
C:\Users\KEECFM~1\Desktop\{3656F910-4433-438C-BE65-BC03A0BBE048}.wsf Sample File Text
Malicious
...
»
Also Known As C:\Users\kEecfMwgj\Desktop\{3656F910-4433-438C-BE65-BC03A0BBE048}.wsf (Sample File, VM File)
MIME Type text/x-wsf
File Size 53.82 KB
MD5 ae25f2104967b2708ac9dba80aac52fd Copy to Clipboard
SHA1 7ac0150b43cbb5eeba9a0f956e1291df6790f3bf Copy to Clipboard
SHA256 11b3d1564b12934489281250c9a683f076fe10254bfdd7da72307e538838ec56 Copy to Clipboard
SSDeep 768:n9Te2jdcdTeNtu1t/nl8BFWVyeaNhvsbsS:9TVdaeNtuXndH Copy to Clipboard
ImpHash -
File Reputation Information
»
Verdict
Malicious
C:\Users\KEECFM~1\Desktop\radF4DF4.tmp.dll Dropped File Binary
Malicious
...
»
Also Known As C:\Windows\system32\IAmWs\KHlcuNQKgqGHACSo.dll (Accessed File, Dropped File)
MIME Type application/vnd.microsoft.portable-executable
File Size 309.50 KB
MD5 bfc060937dc90b273eccb6825145f298 Copy to Clipboard
SHA1 c156c00c7e918f0cb7363614fb1f177c90d8108a Copy to Clipboard
SHA256 2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253 Copy to Clipboard
SSDeep 6144:cwNQMQTlfdUPABVy559hhR3iP7TfPYbrF1EFVw0todxKROsCt:rNbadDBkZ6rPeEFizdxxsCt Copy to Clipboard
ImpHash abb9300283e542fb453de5c4c87cd55d Copy to Clipboard
File Reputation Information
»
Verdict
Malicious
Names Mal/Generic-S
PE Information
»
Image Base 0x180000000
Entry Point 0x18000179C
Size Of Code 0x00014600
Size Of Initialized Data 0x0003A000
File Type IMAGE_FILE_DLL
Subsystem IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type IMAGE_FILE_MACHINE_AMD64
Compile Timestamp 2023-03-10 13:52 (UTC)
Sections (7)
»
Name Virtual Address Virtual Size Raw Data Size Raw Data Offset Flags Entropy
.text 0x180001000 0x00014415 0x00014600 0x00000400 IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ 6.39
.rdata 0x180016000 0x0000A4B4 0x0000A600 0x00014A00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.75
.data 0x180021000 0x00001EA4 0x00000C00 0x0001F000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE 2.1
.pdata 0x180023000 0x000011A0 0x00001200 0x0001FC00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 4.89
_RDATA 0x180025000 0x0000015C 0x00000200 0x00020E00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 2.8
.rsrc 0x180026000 0x0002BD28 0x0002BE00 0x00021000 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ 7.84
.reloc 0x180052000 0x00000684 0x00000800 0x0004CE00 IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ 4.92
Imports (4)
»
KERNEL32.dll (69)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
SetFilePointerEx - 0x180016038 0x0001FA00 0x0001E400 0x00000555
GetConsoleMode - 0x180016040 0x0001FA08 0x0001E408 0x00000216
GetConsoleOutputCP - 0x180016048 0x0001FA10 0x0001E410 0x0000021A
WriteFile - 0x180016050 0x0001FA18 0x0001E418 0x0000064B
FlushFileBuffers - 0x180016058 0x0001FA20 0x0001E420 0x000001B9
SetStdHandle - 0x180016060 0x0001FA28 0x0001E428 0x0000057F
HeapSize - 0x180016068 0x0001FA30 0x0001E430 0x00000375
GetStringTypeW - 0x180016070 0x0001FA38 0x0001E438 0x000002F8
GetFileType - 0x180016078 0x0001FA40 0x0001E440 0x0000026A
GetStdHandle - 0x180016080 0x0001FA48 0x0001E448 0x000002F3
GetProcessHeap - 0x180016088 0x0001FA50 0x0001E450 0x000002D4
CreateFileW - 0x180016090 0x0001FA58 0x0001E458 0x000000DA
CloseHandle - 0x180016098 0x0001FA60 0x0001E460 0x00000094
WriteConsoleW - 0x1800160A0 0x0001FA68 0x0001E468 0x0000064A
ExitProcess - 0x1800160A8 0x0001FA70 0x0001E470 0x00000178
HeapReAlloc - 0x1800160B0 0x0001FA78 0x0001E478 0x00000373
GetLastError - 0x1800160B8 0x0001FA80 0x0001E480 0x0000027D
LCMapStringW - 0x1800160C0 0x0001FA88 0x0001E488 0x000003D4
FlsFree - 0x1800160C8 0x0001FA90 0x0001E490 0x000001B5
FlsSetValue - 0x1800160D0 0x0001FA98 0x0001E498 0x000001B7
FlsGetValue - 0x1800160D8 0x0001FAA0 0x0001E4A0 0x000001B6
FlsAlloc - 0x1800160E0 0x0001FAA8 0x0001E4A8 0x000001B4
UnhandledExceptionFilter - 0x1800160E8 0x0001FAB0 0x0001E4B0 0x000005E6
SetUnhandledExceptionFilter - 0x1800160F0 0x0001FAB8 0x0001E4B8 0x000005A4
GetCurrentProcess - 0x1800160F8 0x0001FAC0 0x0001E4C0 0x00000232
TerminateProcess - 0x180016100 0x0001FAC8 0x0001E4C8 0x000005C4
IsProcessorFeaturePresent - 0x180016108 0x0001FAD0 0x0001E4D0 0x000003A8
IsDebuggerPresent - 0x180016110 0x0001FAD8 0x0001E4D8 0x000003A0
GetStartupInfoW - 0x180016118 0x0001FAE0 0x0001E4E0 0x000002F1
GetModuleHandleW - 0x180016120 0x0001FAE8 0x0001E4E8 0x00000295
QueryPerformanceCounter - 0x180016128 0x0001FAF0 0x0001E4F0 0x00000470
GetCurrentProcessId - 0x180016130 0x0001FAF8 0x0001E4F8 0x00000233
GetCurrentThreadId - 0x180016138 0x0001FB00 0x0001E500 0x00000237
GetSystemTimeAsFileTime - 0x180016140 0x0001FB08 0x0001E508 0x0000030A
InitializeSListHead - 0x180016148 0x0001FB10 0x0001E510 0x0000038A
RtlUnwindEx - 0x180016150 0x0001FB18 0x0001E518 0x00000503
InterlockedFlushSList - 0x180016158 0x0001FB20 0x0001E520 0x0000038E
SetLastError - 0x180016160 0x0001FB28 0x0001E528 0x00000564
EncodePointer - 0x180016168 0x0001FB30 0x0001E530 0x00000145
RaiseException - 0x180016170 0x0001FB38 0x0001E538 0x00000487
EnterCriticalSection - 0x180016178 0x0001FB40 0x0001E540 0x00000149
LeaveCriticalSection - 0x180016180 0x0001FB48 0x0001E548 0x000003E0
DeleteCriticalSection - 0x180016188 0x0001FB50 0x0001E550 0x00000123
InitializeCriticalSectionAndSpinCount - 0x180016190 0x0001FB58 0x0001E558 0x00000386
TlsAlloc - 0x180016198 0x0001FB60 0x0001E560 0x000005D6
TlsGetValue - 0x1800161A0 0x0001FB68 0x0001E568 0x000005D8
TlsSetValue - 0x1800161A8 0x0001FB70 0x0001E570 0x000005D9
TlsFree - 0x1800161B0 0x0001FB78 0x0001E578 0x000005D7
FreeLibrary - 0x1800161B8 0x0001FB80 0x0001E580 0x000001C5
GetProcAddress - 0x1800161C0 0x0001FB88 0x0001E588 0x000002CD
LoadLibraryExW - 0x1800161C8 0x0001FB90 0x0001E590 0x000003E6
RtlPcToFileHeader - 0x1800161D0 0x0001FB98 0x0001E598 0x000004FF
GetModuleHandleExW - 0x1800161D8 0x0001FBA0 0x0001E5A0 0x00000294
GetModuleFileNameW - 0x1800161E0 0x0001FBA8 0x0001E5A8 0x00000291
HeapAlloc - 0x1800161E8 0x0001FBB0 0x0001E5B0 0x0000036C
HeapFree - 0x1800161F0 0x0001FBB8 0x0001E5B8 0x00000370
FindClose - 0x1800161F8 0x0001FBC0 0x0001E5C0 0x0000018F
FindFirstFileExW - 0x180016200 0x0001FBC8 0x0001E5C8 0x00000195
FindNextFileW - 0x180016208 0x0001FBD0 0x0001E5D0 0x000001A6
IsValidCodePage - 0x180016210 0x0001FBD8 0x0001E5D8 0x000003AE
GetACP - 0x180016218 0x0001FBE0 0x0001E5E0 0x000001CC
GetOEMCP - 0x180016220 0x0001FBE8 0x0001E5E8 0x000002B6
GetCPInfo - 0x180016228 0x0001FBF0 0x0001E5F0 0x000001DB
GetCommandLineA - 0x180016230 0x0001FBF8 0x0001E5F8 0x000001F0
GetCommandLineW - 0x180016238 0x0001FC00 0x0001E600 0x000001F1
MultiByteToWideChar - 0x180016240 0x0001FC08 0x0001E608 0x00000412
WideCharToMultiByte - 0x180016248 0x0001FC10 0x0001E610 0x00000637
GetEnvironmentStringsW - 0x180016250 0x0001FC18 0x0001E618 0x00000253
FreeEnvironmentStringsW - 0x180016258 0x0001FC20 0x0001E620 0x000001C4
USER32.dll (20)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
GetGestureInfo - 0x180016268 0x0001FC30 0x0001E630 0x0000015E
InvalidateRect - 0x180016270 0x0001FC38 0x0001E638 0x00000224
ScreenToClient - 0x180016278 0x0001FC40 0x0001E640 0x0000030C
CloseGestureInfoHandle - 0x180016280 0x0001FC48 0x0001E648 0x00000051
EndPaint - 0x180016288 0x0001FC50 0x0001E650 0x000000F4
BeginPaint - 0x180016290 0x0001FC58 0x0001E658 0x00000011
UpdateWindow - 0x180016298 0x0001FC60 0x0001E660 0x000003D0
PostQuitMessage - 0x1800162A0 0x0001FC68 0x0001E668 0x000002AF
LoadCursorW - 0x1800162A8 0x0001FC70 0x0001E670 0x00000259
GetMessageW - 0x1800162B0 0x0001FC78 0x0001E678 0x0000018B
DefWindowProcW - 0x1800162B8 0x0001FC80 0x0001E680 0x000000A7
DestroyWindow - 0x1800162C0 0x0001FC88 0x0001E688 0x000000B5
CreateWindowExW - 0x1800162C8 0x0001FC90 0x0001E690 0x00000076
RegisterClassExW - 0x1800162D0 0x0001FC98 0x0001E698 0x000002DF
LoadStringW - 0x1800162D8 0x0001FCA0 0x0001E6A0 0x00000268
ShowWindow - 0x1800162E0 0x0001FCA8 0x0001E6A8 0x00000396
DispatchMessageW - 0x1800162E8 0x0001FCB0 0x0001E6B0 0x000000BD
SetGestureConfig - 0x1800162F0 0x0001FCB8 0x0001E6B8 0x0000033F
TranslateAcceleratorW - 0x1800162F8 0x0001FCC0 0x0001E6C0 0x000003B4
TranslateMessage - 0x180016300 0x0001FCC8 0x0001E6C8 0x000003B6
GDI32.dll (6)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
Polyline - 0x180016000 0x0001F9C8 0x0001E3C8 0x0000032A
LineTo - 0x180016008 0x0001F9D0 0x0001E3D0 0x000002F9
CreatePen - 0x180016010 0x0001F9D8 0x0001E3D8 0x0000004F
MoveToEx - 0x180016018 0x0001F9E0 0x0001E3E0 0x0000030D
DeleteObject - 0x180016020 0x0001F9E8 0x0001E3E8 0x0000018F
SelectObject - 0x180016028 0x0001F9F0 0x0001E3F0 0x00000374
ntdll.dll (9)
»
API Name Ordinal IAT Address Thunk RVA Thunk Offset Hint
NtQueueApcThread - 0x180016310 0x0001FCD8 0x0001E6D8 0x0000020F
ZwOpenSymbolicLinkObject - 0x180016318 0x0001FCE0 0x0001E6E0 0x00000812
LdrFindResource_U - 0x180016320 0x0001FCE8 0x0001E6E8 0x00000074
NtAllocateVirtualMemory - 0x180016328 0x0001FCF0 0x0001E6F0 0x000000D9
NtTestAlert - 0x180016330 0x0001FCF8 0x0001E6F8 0x00000286
LdrAccessResource - 0x180016338 0x0001FD00 0x0001E700 0x00000064
RtlCaptureContext - 0x180016340 0x0001FD08 0x0001E708 0x00000305
RtlLookupFunctionEntry - 0x180016348 0x0001FD10 0x0001E710 0x00000509
RtlVirtualUnwind - 0x180016350 0x0001FD18 0x0001E718 0x0000064E
Exports (1)
»
API Name EAT Address Ordinal
DllRegisterServer 0x00010A70 0x00000001
C:\Users\KEECFM~1\Desktop\rad5FFE2.tmp.dll Downloaded File HTML
Clean
...
»
MIME Type text/html
File Size 329 Bytes
MD5 2f29351c3c2aedcd43f92fac627a0f03 Copy to Clipboard
SHA1 00c87d5ce1dd0abadba4e362daf328e43cc6c225 Copy to Clipboard
SHA256 3eb884c8b8f8d7abfc17609b823d49ffdfff746e7ed6c72db1c76bc69af68ef9 Copy to Clipboard
SSDeep 6:pn0+Dy9xwIgsozEr6VyF02xxdGzKQQFEHcLgWugszvjsKtgsg93wzRbKqD:J0+oxBgsozR4F0+dgKUfWugszvjsKtg0 Copy to Clipboard
ImpHash -
VMRay - Analyzer - www.vmray.com
Legal Note - Privacy Policy
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting \"security.fileuri.strict_origin_policy\".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    

     Exit-Icon
    

    

     

      WHOIS Domain Information
     

     

      

       
        Domain Name
       
       
       
      

      

       
        WHOIS Response
       
       
        

       		
      

     

    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image