Malicious
Classifications
Spyware
Threat Names
Trojan.GenericKDZ.76753 Gen:Variant.Mikey.113998
Dynamic Analysis Report
Created on 2021-09-28T09:29:00
2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.exe.dll
Windows DLL (x86-64)
Remarks (2/2)
(0x02000009): DLL files normally need to be submitted with an appropriate loader. Analysis result may be incomplete if an appropriate loader was not submitted.
(0x0200000E): The overall sleep time of all monitored processes was truncated from "15 minutes, 30 seconds" to "4 minutes, 50 seconds" to reveal dormant functionality.
This is a filtered view
This list contains only the embedded files, downloaded files, and dropped files
| Filters: |
There are no files for this filter
There are no files in this analysis
| File Name | Category | Type | Verdict | Actions |
|---|
| C:\Users\RDhJ0CNFevzX\Desktop\2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991.exe.dll | Sample File | Binary |
malicious
|
...
|
»
| MIME Type | application/vnd.microsoft.portable-executable |
| File Size | 2.24 MB |
| MD5 |
31058530a762dc9f9bb34d28203f5314
|
| SHA1 |
28c5d0fc080868ebb37050a565796f19a48eee87
|
| SHA256 |
2f8c8a12a31d244689c70b428031eb90f3b791323ab6dfa45e2a3d5921877991
|
| SSDeep |
12288:xVI0W/TtlPLfJCm3WIYxJ9yK5IQ9PElOlidGAWilgm5Qq0nB6wtt4AenZ1:AfP7fWsK5z9A+WGAW+V5SB6Ct4bnb
|
| ImpHash |
6668be91e2c948b183827f040944057f
|
AV Matches (1)
»
| Threat Name | Verdict |
|---|---|
| Trojan.GenericKDZ.76753 |
malicious
|
PE Information
»
| Image Base | 0x140000000 |
| Entry Point | 0x140041070 |
| Size Of Code | 0x41000 |
| Size Of Initialized Data | 0x1fb000 |
| File Type | FileType.dll |
| Subsystem | Subsystem.windows_cui |
| Machine Type | MachineType.amd64 |
| Compile Timestamp | 2020-02-20 08:35:24+00:00 |
Version Information (8)
»
| CompanyName | Microsoft Corporati |
| FileDescription | Background Intellig |
| FileVersion | 7.5.7600.16385 (win7_rtm.090713- |
| InternalName | bitsp |
| LegalCopyright | © Microsoft Corporation. All rights reserv |
| OriginalFilename | kbdy |
| ProductName | Microsoft® Windows® Operating S |
| ProductVersion | 6.1.7600 |
Sections (50)
»
| Name | Virtual Address | Virtual Size | Raw Data Size | Raw Data Offset | Flags | Entropy |
|---|---|---|---|---|---|---|
| .text | 0x140001000 | 0x40796 | 0x41000 | 0x1000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.73 |
| .rdata | 0x140042000 | 0x64fd0 | 0x65000 | 0x42000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.87 |
| .data | 0x1400a7000 | 0x178b8 | 0x18000 | 0xa7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32 |
| .pdata | 0x1400bf000 | 0x12c | 0x1000 | 0xbf000 | IMAGE_SCN_TYPE_DSECT, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.58 |
| .rsrc | 0x1400c0000 | 0x880 | 0x1000 | 0xc0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.24 |
| .reloc | 0x1400c1000 | 0x2324 | 0x3000 | 0xc1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 4.65 |
| .qkm | 0x1400c4000 | 0x74a | 0x1000 | 0xc4000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cvjb | 0x1400c5000 | 0x1e66 | 0x2000 | 0xc5000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .tlmkv | 0x1400c7000 | 0xbde | 0x1000 | 0xc7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wucsxe | 0x1400c8000 | 0x45174 | 0x46000 | 0xc8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fltwtj | 0x14010e000 | 0x1267 | 0x2000 | 0x10e000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .sfplio | 0x140110000 | 0x736 | 0x1000 | 0x110000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rpg | 0x140111000 | 0x45174 | 0x46000 | 0x111000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .bewzc | 0x140157000 | 0x1124 | 0x2000 | 0x157000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .vksvaw | 0x140159000 | 0x736 | 0x1000 | 0x159000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wmhg | 0x14015a000 | 0x1278 | 0x2000 | 0x15a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kswemc | 0x14015c000 | 0x36d | 0x1000 | 0x15c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kaxfk | 0x14015d000 | 0x197d | 0x2000 | 0x15d000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .wualk | 0x14015f000 | 0xbde | 0x1000 | 0x15f000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qdxz | 0x140160000 | 0xbde | 0x1000 | 0x160000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .rkyg | 0x140161000 | 0x1af | 0x1000 | 0x161000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .psul | 0x140162000 | 0x1af | 0x1000 | 0x162000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .pyjm | 0x140163000 | 0x1f7 | 0x1000 | 0x163000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .eoadme | 0x140164000 | 0x7fd | 0x1000 | 0x164000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fnz | 0x140165000 | 0x389 | 0x1000 | 0x165000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .gwheg | 0x140166000 | 0x45174 | 0x46000 | 0x166000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .fcd | 0x1401ac000 | 0x322 | 0x1000 | 0x1ac000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dwk | 0x1401ad000 | 0x9cd | 0x1000 | 0x1ad000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hgy | 0x1401ae000 | 0xae7 | 0x1000 | 0x1ae000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nfm | 0x1401af000 | 0x46e | 0x1000 | 0x1af000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qmfqd | 0x1401b0000 | 0xd57 | 0x1000 | 0x1b0000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .buzyfh | 0x1401b1000 | 0xbde | 0x1000 | 0x1b1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .piwc | 0x1401b2000 | 0x13e | 0x1000 | 0x1b2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .nnrqzz | 0x1401b3000 | 0x33731 | 0x34000 | 0x1b3000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hycwe | 0x1401e7000 | 0x389 | 0x1000 | 0x1e7000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .unt | 0x1401e8000 | 0xf9 | 0x1000 | 0x1e8000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hoj | 0x1401e9000 | 0x103 | 0x1000 | 0x1e9000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .xufjr | 0x1401ea000 | 0xbde | 0x1000 | 0x1ea000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .ukllwd | 0x1401eb000 | 0x23b | 0x1000 | 0x1eb000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .dmpewo | 0x1401ec000 | 0x543 | 0x1000 | 0x1ec000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .kerz | 0x1401ed000 | 0x736 | 0x1000 | 0x1ed000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .skdwx | 0x1401ee000 | 0x896 | 0x1000 | 0x1ee000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .diq | 0x1401ef000 | 0x197d | 0x2000 | 0x1ef000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .cbuheu | 0x1401f1000 | 0x13e | 0x1000 | 0x1f1000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .hwca | 0x1401f2000 | 0x45174 | 0x46000 | 0x1f2000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .mkabuo | 0x140238000 | 0x23b | 0x1000 | 0x238000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .vstkx | 0x140239000 | 0x23b | 0x1000 | 0x239000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .zpzkgm | 0x14023a000 | 0x13e | 0x1000 | 0x23a000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .qkdzqp | 0x14023b000 | 0x21b | 0x1000 | 0x23b000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.0 |
| .arp | 0x14023c000 | 0x13e | 0x1000 | 0x23c000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.65 |
Imports (7)
»
USER32.dll (4)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| LookupIconIdFromDirectoryEx | - | 0x140042098 | 0xa64c8 | 0xa64c8 | 0x205 |
| WaitForInputIdle | - | 0x1400420a0 | 0xa64d0 | 0xa64d0 | 0x32e |
| GetParent | - | 0x1400420a8 | 0xa64d8 | 0xa64d8 | 0x166 |
| GetFocus | - | 0x1400420b0 | 0xa64e0 | 0xa64e0 | 0x12e |
SETUPAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CM_Get_Resource_Conflict_DetailsW | - | 0x140042078 | 0xa64a8 | 0xa64a8 | 0x8a |
KERNEL32.dll (7)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| DeleteCriticalSection | - | 0x140042038 | 0xa6468 | 0xa6468 | 0xd2 |
| DeleteTimerQueue | - | 0x140042040 | 0xa6470 | 0xa6470 | 0xd9 |
| TerminateJobObject | - | 0x140042048 | 0xa6478 | 0xa6478 | 0x4cd |
| GetFileInformationByHandle | - | 0x140042050 | 0xa6480 | 0xa6480 | 0x1f3 |
| GetThreadLocale | - | 0x140042058 | 0xa6488 | 0xa6488 | 0x293 |
| GetNamedPipeServerProcessId | - | 0x140042060 | 0xa6490 | 0xa6490 | 0x229 |
| GetConsoleFontSize | - | 0x140042068 | 0xa6498 | 0xa6498 | 0x1aa |
GDI32.dll (2)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CreateBitmapIndirect | - | 0x140042020 | 0xa6450 | 0xa6450 | 0x2b |
| GetPolyFillMode | - | 0x140042028 | 0xa6458 | 0xa6458 | 0x206 |
CRYPT32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| CertGetCTLContextProperty | - | 0x140042010 | 0xa6440 | 0xa6440 | 0x44 |
ADVAPI32.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| AddAccessDeniedObjectAce | - | 0x140042000 | 0xa6430 | 0xa6430 | 0x15 |
SHLWAPI.dll (1)
»
| API Name | Ordinal | IAT Address | Thunk RVA | Thunk Offset | Hint |
|---|---|---|---|---|---|
| ChrCmpIW | - | 0x140042088 | 0xa64b8 | 0xa64b8 | 0xa |
Exports (6)
»
| Api name | EAT Address | Ordinal |
|---|---|---|
| CreateXmlReader | 0x8798 | 0x1 |
| CreateXmlReaderInputWithEncodingCodePage | 0x20784 | 0x2 |
| CreateXmlReaderInputWithEncodingName | 0x2bc1c | 0x3 |
| CreateXmlWriter | 0x29708 | 0x4 |
| CreateXmlWriterOutputWithEncodingCodePage | 0x1c9ec | 0x5 |
| CreateXmlWriterOutputWithEncodingName | 0x3a458 | 0x6 |
