rundll32[.]exe

Sharing

Copy URL Twitter E-mail

General

Target

rundll32.exe
Size

87KB
MD5

d28778d07c8f7ca59b7569e4eda54512
SHA1

34661f530c6bc94aa1f307df30f75733e5d87382
SHA256

770832da77324f205306b4d89c02ba2b98dce87207a82d4bf9b1d076608862d6
SHA512

4a37921b19bdf38e739c5dbd14298f08c55dcce441315c4c6624421177c39b89cbe8af40f0cb9f91def912a7e6a0e3a3c000ff9d5cac438782a4e767b7f4cc8b
SSDEEP

1536:BOTOAGzDkqdw/kzfZDQmpBVvzh1biAhC8TKrmcZRGln5IUmDjoX:Jmqmgf+IBZh1bi8T9kRGln5I

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
rundll32.exe

Files

rundll32.exe
.exe windows:10 windows x64 arch:x64

Password: paladin

f207a867d6098266ee63a3ca677eb0ff

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

PDB Paths

rundll32.pdb

Imports

msvcrt

_exit
_commode
_cexit
_unlock
_vsnwprintf
exit
_initterm
__C_specific_handler
_fmode
_lock
_onexit
_wcmdln
_amsg_exit
__CxxFrameHandler3
__wgetmainargs
?terminate@@YAXXZ
__set_app_type
memcmp
_XcptFilter
free
_purecall
__dllonexit
_wtoi
memcpy_s
__setusermatherr
_callnewh
malloc
memmove_s
memset

api-ms-win-core-com-l1-1-0

CoUninitialize
CoWaitForMultipleHandles
CoAddRefServerProcess
CoReleaseServerProcess
CoResumeClassObjects
CoCreateInstance
CoInitializeSecurity
CLSIDFromString
CoInitializeEx
CoRevokeClassObject
CoRegisterClassObject

api-ms-win-core-file-l1-1-0

CreateFileW
ReadFile
SetFilePointer
GetFileAttributesW

api-ms-win-core-libraryloader-l1-2-0

FreeLibrary
LoadLibraryExW
GetModuleHandleW
GetProcAddress
GetModuleHandleExW
GetModuleFileNameA
LoadStringW

api-ms-win-core-wow64-l1-1-1

IsWow64Process2
GetSystemWow64Directory2W

api-ms-win-core-synch-l1-2-0

InitOnceExecuteOnce
Sleep

api-ms-win-core-synch-l1-1-0

AcquireSRWLockShared
CreateSemaphoreExW
SetEvent
ReleaseSemaphore
AcquireSRWLockExclusive
CreateMutexExW
WaitForSingleObjectEx
CreateEventW
WaitForSingleObject
OpenSemaphoreW
ReleaseMutex
InitializeCriticalSectionEx
DeleteCriticalSection
ReleaseSRWLockShared
EnterCriticalSection
ReleaseSRWLockExclusive
LeaveCriticalSection

api-ms-win-core-heap-l1-1-0

HeapFree
HeapAlloc
GetProcessHeap
HeapSetInformation

api-ms-win-core-errorhandling-l1-1-0

GetLastError
SetUnhandledExceptionFilter
SetErrorMode
SetLastError
UnhandledExceptionFilter

api-ms-win-core-processenvironment-l1-1-0

GetCommandLineW
SearchPathW

api-ms-win-core-processthreads-l1-1-0

GetStartupInfoW
CreateProcessW
GetCurrentProcess
GetCurrentThreadId
ExitProcess
GetCurrentProcessId
TerminateProcess

api-ms-win-core-util-l1-1-0

EncodePointer
DecodePointer

api-ms-win-core-heap-l2-1-0

LocalAlloc
LocalFree

api-ms-win-core-sysinfo-l1-1-0

GetSystemTimeAsFileTime
GetSystemDirectoryW
GetTickCount

api-ms-win-core-winrt-error-l1-1-0

RoOriginateErrorW
RoOriginateError

api-ms-win-core-localization-l1-2-0

FormatMessageW

api-ms-win-core-console-l1-2-0

AttachConsole
FreeConsole

api-ms-win-core-debug-l1-1-0

OutputDebugStringW
DebugBreak
IsDebuggerPresent

api-ms-win-core-handle-l1-1-0

CloseHandle

api-ms-win-core-path-l1-1-0

PathCchAppend

api-ms-win-core-console-l1-1-0

WriteConsoleW

api-ms-win-core-string-l1-1-0

CompareStringW
WideCharToMultiByte

api-ms-win-core-rtlsupport-l1-1-0

RtlVirtualUnwind
RtlLookupFunctionEntry
RtlCaptureContext

api-ms-win-core-profile-l1-1-0

QueryPerformanceCounter

api-ms-win-core-string-l2-1-0

CharNextW

api-ms-win-core-threadpool-l1-2-0

CreateThreadpoolTimer
SetThreadpoolTimer
CloseThreadpoolTimer
WaitForThreadpoolTimerCallbacks

api-ms-win-core-kernel32-private-l1-1-0

Wow64EnableWow64FsRedirection

api-ms-win-core-sidebyside-l1-1-0

CreateActCtxW
ActivateActCtx
ReleaseActCtx
QueryActCtxW
DeactivateActCtx

api-ms-win-downlevel-shlwapi-l1-1-0

PathIsRelativeW

api-ms-win-downlevel-shlwapi-l2-1-0

SHSetThreadRef

imagehlp

ImageDirectoryEntryToData

ntdll

NtClose
NtOpenProcessToken
RtlNtStatusToDosError
NtSetInformationToken
RtlSetSearchPathMode
RtlWow64IsWowGuestMachineSupported
RtlImageNtHeader
NtQuerySystemInformation
NtQueryInformationToken

api-ms-win-core-delayload-l1-1-1

ResolveDelayLoadedAPI

api-ms-win-core-delayload-l1-1-0

DelayLoadFailureHook

api-ms-win-core-apiquery-l1-1-0

ApiSetQueryApiSetPresence

Sections

.text
Size: 41KB - Virtual size: 40KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 15KB - Virtual size: 15KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 2KB - Virtual size: 2KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 512B - Virtual size: 264B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 26KB - Virtual size: 25KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 280B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

Password: paladin

f207a867d6098266ee63a3ca677eb0ff

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

msvcrt

api-ms-win-core-com-l1-1-0

api-ms-win-core-file-l1-1-0

api-ms-win-core-libraryloader-l1-2-0

api-ms-win-core-wow64-l1-1-1

api-ms-win-core-synch-l1-2-0

api-ms-win-core-synch-l1-1-0

api-ms-win-core-heap-l1-1-0

api-ms-win-core-errorhandling-l1-1-0

api-ms-win-core-processenvironment-l1-1-0

api-ms-win-core-processthreads-l1-1-0

api-ms-win-core-util-l1-1-0

api-ms-win-core-heap-l2-1-0

api-ms-win-core-sysinfo-l1-1-0

api-ms-win-core-winrt-error-l1-1-0

api-ms-win-core-localization-l1-2-0

api-ms-win-core-console-l1-2-0

api-ms-win-core-debug-l1-1-0

api-ms-win-core-handle-l1-1-0

api-ms-win-core-path-l1-1-0

api-ms-win-core-console-l1-1-0

api-ms-win-core-string-l1-1-0

api-ms-win-core-rtlsupport-l1-1-0

api-ms-win-core-profile-l1-1-0

api-ms-win-core-string-l2-1-0

api-ms-win-core-threadpool-l1-2-0

api-ms-win-core-kernel32-private-l1-1-0

api-ms-win-core-sidebyside-l1-1-0

api-ms-win-downlevel-shlwapi-l1-1-0

api-ms-win-downlevel-shlwapi-l2-1-0

imagehlp

ntdll

api-ms-win-core-delayload-l1-1-1

api-ms-win-core-delayload-l1-1-0

api-ms-win-core-apiquery-l1-1-0

Sections

.text Size: 41KB - Virtual size: 40KB

.rdata Size: 15KB - Virtual size: 15KB

.data Size: 512B - Virtual size: 2KB

.pdata Size: 2KB - Virtual size: 2KB

.didat Size: 512B - Virtual size: 264B

.rsrc Size: 26KB - Virtual size: 25KB

.reloc Size: 512B - Virtual size: 280B

.text
Size: 41KB - Virtual size: 40KB

.rdata
Size: 15KB - Virtual size: 15KB

.data
Size: 512B - Virtual size: 2KB

.pdata
Size: 2KB - Virtual size: 2KB

.didat
Size: 512B - Virtual size: 264B

.rsrc
Size: 26KB - Virtual size: 25KB

.reloc
Size: 512B - Virtual size: 280B