rundll32.exe

Windows host process (Rundll32)

Microsoft Corporation

Rundll allows various libraries (DLL files) to be loaded as a process by allowing the operating system to invoke a function exported from a DLL. It is installed with the Windows 8 pre-release build (RTM). The file has been seen being downloaded from onedrive.live.com and multiple other hosts.
Publisher:
Microsoft Corporation

Product:
Microsoft® Windows® Operating System

Description:
Windows host process (Rundll32)

 
Part of the Windows 8.1 (Blue) Operating System

Version:
6.3.9600.16384 (winblue_rtm.130821-1623)

MD5:
8bfe805555cdaf6387912a34d7978daa

SHA-1:
b95a4c3d3722093a3e8fc54c578858e698df8437

SHA-256:
6f9195d85b386099f9f63e3319f5e9e85e0f3a1f0d48cfc9a37e7eff65225933

Scanner detections:
0 / 68

Status:
Clean (as of last analysis)
Whitelisted  (by digital signature)

Analysis date:
12/25/2024 1:39:31 PM UTC  (today)

File size:
50 KB (51,200 bytes)

Product version:
6.3.9600.16384

Copyright:
© Microsoft Corporation. All rights reserved.

Original file name:
RUNDLL32.EXE.MUI

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\windows\syswow64\rundll32.exe

File PE Metadata
Compilation timestamp:
10/29/2014 1:40:50 AM

OS version:
6.3

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
11.0

CTPH (ssdeep):
768:WnL6w6G3lZcX/TuSKCRTowakRunRJbSEln5IyYpamDjobj8S:A/18/TLOwaNnRDln5IUmDjoX

Entry address:
0x18A0

Entry point:
E8, A3, FF, FF, FF, 6A, 5C, 68, B8, 19, 40, 00, E8, 5B, 03, 00, 00, 83, 65, DC, 00, 83, 65, FC, 00, 8D, 45, 94, 50, FF, 15, 84, 70, 40, 00, C7, 45, FC, FE, FF, FF, FF, 33, DB, 43, 89, 5D, FC, 64, A1, 18, 00, 00, 00, 8B, 78, 04, 33, F6, BA, 48, 60, 40, 00, 8B, CF, 33, C0, F0, 0F, B1, 0A, 85, C0, 0F, 85, 2C, 01, 00, 00, 39, 1D, 28, 60, 40, 00, 0F, 84, 2B, 01, 00, 00, 83, 3D, 28, 60, 40, 00, 00, 0F, 85, D6, 0A, 00, 00, 89, 1D, 28, 60, 40, 00, 68, B4, 19, 40, 00, 68, A8, 19, 40, 00, E8, AA, FE, FF, FF, 59, 59...
 
[+]

Entropy:
6.0439

Code size:
16.5 KB (16,896 bytes)

The file rundll32.exe has been seen being distributed by the following 10 URLs.

https://onedrive.live.com/download.aspx?cid=65074D4F5C3BF60B&resid=65074D4F5C3BF60B!145&canary=kmvAijIq2gAtP jSZZkErt YJpLUGWSSbJtkQCsMEXY=3&ithint=.exe

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-xUlhpWlW3Fy4Z_3bibWxGZe0hBjkQktihBpW2G5l9Vmy-Vb8RJ9H4zG8jsQdQbUE-OZtZrw2rULBXQ-scIJXZQ/messages/@.id==AAe_imIAAhnpV1PKtwVquIy1J90/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=89081f07-281e-8144-0109-0c0035010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbXpSPmi4h_D834GrFCOIPfR86PPCE7-J9DwsNXY-9thQ&error=https://us-mg5.mail.yahoo.com/.../iframemsg?id=056cb9d2-18ef-2a5d-922a-568df0e9a423

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-fUyHI4xYCGF1OVFSna3c0Yc2yMu_pY-v94QSFMxWraBv7xvFcp5ImAblmLmybwQh/messages/@.id==AMa_imIAACDHVtQFLQKjyIIZdNA/content/parts/@.id==2/raw?appid=YahooMailNeo&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBZ6S7ykJOhRzL0Z4bndjBvI4QS589m2ULn4HOf3kMCF_g&error=https://us-mg5.mail.yahoo.com/.../iframemsg?id=8fd816d9-4b9a-1e75-4044-f26b78114e64&ymreqid=553df32b-c67c-230d-0195-77012c010000

http://webmail.chittoordccb.org:2095/cpsess5258034127/3rdparty/.../?_task=mail&_action=get&_mbox=INBOX.Sent&_uid=346&_part=2&_download=1

https://onedrive.live.com/download.aspx?cid=5BE596A34F341CBC&resid=5BE596A34F341CBC!175&canary=3VdB794lSz/.../34rmQ=4

https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjJ-D_4dku0TphyLJ0zc9RFpgVRFXiirg9T4Dd3dpAm-sK0vmrBcZCKBYcvE8d7aBsBvUWhjIv2uHVC2R0Wv8Q9VgQ/messages/@.id==ACXFCmoAAMtSV4qRYwjpQP32_Ck/content/parts/@.id==2/raw?appid=YahooMailNeo&ymreqid=a836f34c-ba74-2ff9-013d-fa001a010000&token=zitEzqOML3j84e6ealFTT5U7-km5qEQF52lp7AcCuBbgDGwnpzi5IMBnBAqMfKI8JxZxF1QAURfYo25nPQoDXxh-J5C6LyUnkpuuSevalNc&error=https://mg.mail.yahoo.com/.../iframemsg?id=4c00738f-bc1c-d0e2-51e5-f8c89ec87c73