Program does not show much activity (idle) RdataĬontains functionality to check if a debugger is running (IsDebuggerPresent)Ĭode function: 0_2_00007F F64A3F1900 GetCurren tThreadId, memset,IsD ebuggerPre sent,Outpu tDebugStri ngW,Ĭontains functionality which may be used to detect a debugger (GetProcessHeap)Ĭode function: 0_2_00007F F64A3F23B0 GetProces sHeap,Heap Alloc, Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IA T is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_LO AD_CONFIG is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_BA SERELOC is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_RE SOURCE is in. Static PE information: Data direc tory: IMAG E_DIRECTOR Y_ENTRY_IM PORT is in. PE file contains a valid data directory to section mapping Exeīinary string: rundll32.p dbGCTL sou rce: rundl l32.exe Static PE information: GUARD_CF, TERMINAL_S ERVER_AWAR E, DYNAMIC _BASE, NX_ COMPAT, HI GH_ENTROPY _VAīinary string: rundll32.p db source: rundll32. Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_IATĬontains modern PE file flags such as dynamic base (ASLR) or NX Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_LOAD_CO NFIG Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_DEBUG Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_BASEREL OC Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_RESOURC E Static PE information: data direc tory type: IMAGE_DIR ECTORY_ENT RY_IMPORT PE file contains a mix of data directories often seen in goodware PE file has a high image base, often used for DLLs Exe 'C:\U sers\user\ Desktop\ru ndll32.exe ' Process created: C:\Users\u ser\Deskto p\rundll32. Key opened: HKEY_LOCAL _MACHINE\S oftware\Po licies\Mic rosoft\Win dows\Safer \CodeIdent ifiers Text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ Text section and no other executable section Sample file is different than original file name gathered from version infoīinary or memory string: OriginalFi lename vs rundll32.e xeĬlassification label: sus24.winE functionality for error loggingĬode function: 0_2_00007F F64A3F34EC LoadLibra ryExW,GetL astError,F ormatMessa geW,LoadSt ringW,Wide CharToMult iByte,Loca lAlloc,Wid eCharToMul tiByte,Loa dStringW,L oadStringW ,FreeLibra ry,Ĭontains functionality to instantiate COM classesĬode function: 0_2_00007F F64A3F2D8C CoInitial izeEx,CoIn itializeSe curity,CoC reateInsta nce,Create EventW,Get CurrentThr eadId,Crea teEventW,S etEvent,Cl oseHandle, CoWaitForM ultipleHan dles,Close Handle,CoU ninitializ e, Static PE information: Resource n ame: RT_IC ON type: G LS_BINARY_ LSB_FIRST
ExeĬode function: 0_2_00007F F64A3F3858 NtQuerySy stemInform ation,Ĭode function: 0_2_00007F F64A3F5DCC NtOpenPro cessToken, RtlNtStatu sToDosErro r,NtQueryI nformation Token,NtQu eryInforma tionToken, RtlNtStatu sToDosErro r,NtClose, QueryActCt xW,NtOpenP rocessToke n,NtSetInf ormationTo ken,NtClos e, Source: C:\Users\u ser\Deskto p\rundll32. Contains functionality to call native functions
0 kommentar(er)
