Edit tour

Windows Analysis Report
sql.tmp.dll.dll

Overview

General Information

Sample name:	sql.tmp.dll.dll (renamed file extension from exe to dll)
Original sample name:	sql.tmp.dll.exe
Analysis ID:	1378285
MD5:	d8a8cc25bf5ef5b96ff7a64f663cbd29
SHA1:	d1e5e29c162566ce1d8a3d9c1a758fdbfef74174
SHA256:	aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
Tags:	aptexeLazarus
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Execute DLL with spoofed extension

System process connects to network (likely due to code injection or exploit)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Found evasive API chain (date check)

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64

loaddll64.exe (PID: 432 cmdline: loaddll64.exe "C:\Users\user\Desktop\sql.tmp.dll.dll" MD5: 763455F9DCB24DFEECC2B9D9F8D46D52)

conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7052 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1 MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

rundll32.exe (PID: 6668 cmdline: rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 6276 cmdline: rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSum MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2436 cmdline: rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSumW MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 2916 cmdline: rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSum MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3564 cmdline: rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSumW MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 3624 cmdline: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555 MD5: EF3179D498793BF4234F708D3BE28633)

rundll32.exe (PID: 7756 cmdline: RUNDLL32.exe C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555 MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Sigma Signatures

Data Obfuscation

Sigma detected: Execute DLL with spoofed extension

Source: Process started

Author: Joe Security: Data: Command: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, CommandLine: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, CommandLine|base64offset|contains: y, Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555, ProcessId: 3624, ProcessName: rundll32.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://91.206.178.125/upload/upload.aspi	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp.;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspf	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspJ	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspL	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspVe	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp6;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp8;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspB	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asphttp://91.206.17	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspD	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspm32	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp6	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp$;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspz	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.asp?;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspG;	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspT	Avira URL Cloud: Label: malware
Source: http://91.206.178.125/upload/upload.aspuip	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Avira: detection malicious, Label: TR/ATRAPS.Gen

Multi AV Scanner detection for domain / URL

Source: http://91.206.178.125/upload/upload.asp	Virustotal: Detection: 13%			Perma Link
Source: http://91.206.178.125/	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	Virustotal: Detection: 57%			Perma Link

Multi AV Scanner detection for submitted file

Source: sql.tmp.dll.dll	Virustotal: Detection: 64%			Perma Link
Source: sql.tmp.dll.dll	ReversingLabs: Detection: 55%

Source: C:\Windows\System32\rundll32.exe

Code function: 21_2_0000000180007040 malloc,CryptAcquireContextW,GetLastError,wprintf,CryptCreateHash,GetLastError,wprintf,CryptReleaseContext,CryptHashData,GetLastError,wprintf,CryptReleaseContext,CryptDestroyHash,CryptGetHashParam,GetLastError,CryptReleaseContext,CryptDestroyHash,

21_2_0000000180007040

Source: sql.tmp.dll.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: sql.tmp.dll.dll
Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: sql.tmp.dll.dll

Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 91.206.178.125 80

Jump to behavior

Source: Joe Sandbox View

ASN Name: ARTNET2PL ARTNET2PL

Source: global traffic

TCP traffic: 192.168.2.7:49704 -> 91.206.178.125:80

Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125
Source: unknown	TCP traffic detected without corresponding DNS query: 91.206.178.125

Source: C:\Windows\System32\rundll32.exe

Code function: 21_2_00000001800023F0 HttpQueryInfoA,InternetQueryDataAvailable,InternetReadFile,InternetQueryDataAvailable,

21_2_00000001800023F0

Source: rundll32.exe, 00000015.00000003.1906074262.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2448645763.0000000180016000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2449155633.0000003402DC4000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBA68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp$;
Source: rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp.;
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp6
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp6;
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp8;
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asp?;
Source: rundll32.exe, 00000015.00000003.1905870521.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspB
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspD
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspG;
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspJ
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspL
Source: rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspT
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspVe
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspf
Source: rundll32.exe, 00000015.00000002.2448740513.0000000180051000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.asphttp://91.206.17
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspi
Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspj
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspm32
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspuip
Source: rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.206.178.125/upload/upload.aspz
Source: rundll32.exe, 00000008.00000002.1259984640.000001DD2429E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180002430	4_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000966C	4_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800017C0	4_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180001000	4_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180008818	4_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018001401C	4_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800028C0	4_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180001180	4_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800039CB	4_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180006A90	4_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180014AD0	4_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180007AD8	4_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180011EEC	4_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180009AEC	4_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180004B20	4_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180007360	4_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000BB9C	4_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800137B8	4_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_000000018000C7B8	4_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800013E0	4_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180002430	7_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000966C	7_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800017C0	7_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180001000	7_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180008818	7_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018001401C	7_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800028C0	7_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180001180	7_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800039CB	7_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180006A90	7_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180014AD0	7_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180007AD8	7_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180011EEC	7_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180009AEC	7_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180004B20	7_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180007360	7_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000BB9C	7_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800137B8	7_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_000000018000C7B8	7_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800013E0	7_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180002430	8_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000966C	8_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800017C0	8_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180001000	8_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180008818	8_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018001401C	8_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800028C0	8_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180001180	8_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800039CB	8_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180006A90	8_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180014AD0	8_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180007AD8	8_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180011EEC	8_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180009AEC	8_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180004B20	8_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180007360	8_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000BB9C	8_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800137B8	8_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_000000018000C7B8	8_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800013E0	8_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180002430	9_3_0000000180002430
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000966C	9_3_000000018000966C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800017C0	9_3_00000001800017C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180001000	9_3_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180008818	9_3_0000000180008818
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018001401C	9_3_000000018001401C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800028C0	9_3_00000001800028C0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180001180	9_3_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800039CB	9_3_00000001800039CB
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180006A90	9_3_0000000180006A90
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180014AD0	9_3_0000000180014AD0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180007AD8	9_3_0000000180007AD8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180011EEC	9_3_0000000180011EEC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180009AEC	9_3_0000000180009AEC
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180004B20	9_3_0000000180004B20
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180007360	9_3_0000000180007360
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000BB9C	9_3_000000018000BB9C
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800137B8	9_3_00000001800137B8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_000000018000C7B8	9_3_000000018000C7B8
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800013E0	9_3_00000001800013E0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB226732F1	21_2_00007FFB226732F1
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22671CCA	21_2_00007FFB22671CCA
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22674CC4	21_2_00007FFB22674CC4
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22674F68	21_2_00007FFB22674F68
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22671C84	21_2_00007FFB22671C84
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180007400	21_2_0000000180007400
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180002040	21_2_0000000180002040
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000EA8C	21_2_000000018000EA8C
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180008ED0	21_2_0000000180008ED0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180002540	21_2_0000000180002540
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00000001800047F0	21_2_00000001800047F0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180001000	21_2_0000000180001000
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180007A30	21_2_0000000180007A30
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180007040	21_2_0000000180007040
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000A284	21_2_000000018000A284
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180008290	21_2_0000000180008290
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000369B	21_2_000000018000369B
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180009CE0	21_2_0000000180009CE0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000EF0C	21_2_000000018000EF0C
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000C518	21_2_000000018000C518
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180006770	21_2_0000000180006770
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180008B70	21_2_0000000180008B70
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180001180	21_2_0000000180001180
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018001119C	21_2_000000018001119C
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000B5A0	21_2_000000018000B5A0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000DFAC	21_2_000000018000DFAC
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00000001800013E0	21_2_00000001800013E0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat 00433EBF3B21C1C055D4AB8A599D3E84F03B328496236B54E56042CEF2146B1C

Source: C:\Windows\System32\rundll32.exe

Code function: String function: 000000018000B40C appears 44 times

Source: sql.tmp.dll.dll

Static PE information: Section: .data ZLIB complexity 0.9890470436151079

Source: classification engine

Classification label: mal96.evad.winDLL@16/2@0/1

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_00000001800017C0 CoInitializeEx,wprintf,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysAllocString,SysFreeString,MultiByteToWideChar,SysAllocString,SysFreeString,SysAllocString,SysFreeString,SysFreeString,SysAllocString,VariantInit,VariantInit,SysAllocString,SysFreeString,VariantClear,VariantClear,VariantClear,CoUninitialize,wprintf,CoUninitialize,

4_3_00000001800017C0

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03

Source: sql.tmp.dll.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSum

Source: sql.tmp.dll.dll	Virustotal: Detection: 64%
Source: sql.tmp.dll.dll	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\sql.tmp.dll.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSum
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1
Source: unknown	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSumW
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSum
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSumW
Source: unknown	Process created: C:\Windows\System32\rundll32.exe RUNDLL32.exe C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSum	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSumW	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSum	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSumW	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: sql.tmp.dll.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: sql.tmp.dll.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: sql.tmp.dll.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: sql.tmp.dll.dll
Source:	Binary string: F:\workspace\CBG\npmLoaderDll\x64\Release\npmLoaderDll.pdb source: sql.tmp.dll.dll

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000EE74 LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

4_3_000000018000EE74

Source: C:\Windows\System32\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Jump to dropped file

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_21-18489

Source: C:\Windows\System32\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_21-16680

Source: C:\Windows\System32\loaddll64.exe TID: 2012	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 7776	Thread sleep time: -240000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000			Jump to behavior

Source: rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBA68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\rundll32.exe

API call chain: ExitProcess graph end node

graph_21-16682

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

4_3_0000000180009284

Source: C:\Windows\System32\rundll32.exe

4_3_000000018000EE74

Source: C:\Windows\System32\rundll32.exe

Code function: 21_2_00007FFB22671440 VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc,

21_2_00007FFB22671440

Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 4_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 7_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 8_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_0000000180009284 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_3_0000000180009284
Source: C:\Windows\System32\rundll32.exe	Code function: 9_3_00000001800072A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_3_00000001800072A0
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22674318 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_00007FFB22674318
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_00007FFB22673900 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_00007FFB22673900
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_0000000180009400 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	21_2_0000000180009400
Source: C:\Windows\System32\rundll32.exe	Code function: 21_2_000000018000C00C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	21_2_000000018000C00C

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\rundll32.exe

Network Connect: 91.206.178.125 80

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_0000000180007964 GetSystemTimeAsFileTime,

4_3_0000000180007964

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000966C _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

4_3_000000018000966C

Source: C:\Windows\System32\rundll32.exe

Code function: 4_3_000000018000BA5C HeapCreate,GetVersion,HeapSetInformation,

4_3_000000018000BA5C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	3 Native API	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	11 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	11 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	3 System Information Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sql.tmp.dll.dll	64%	Virustotal		Browse
sql.tmp.dll.dll	55%	ReversingLabs	Win64.Trojan.NukeSped

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	100%	Avira	TR/ATRAPS.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	47%	ReversingLabs	Win64.Trojan.TurtleLoader
C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	57%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://schemas.microsoft	0%	URL Reputation	safe
http://91.206.178.125/upload/upload.aspi	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp.;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspf	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspJ	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspL	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspVe	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp6;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp8;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp	13%	Virustotal		Browse
http://91.206.178.125/	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspB	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asphttp://91.206.17	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspD	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspm32	100%	Avira URL Cloud	malware
http://91.206.178.125/	10%	Virustotal		Browse
http://91.206.178.125/upload/upload.asp6	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp$;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspz	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.asp?;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspG;	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspT	100%	Avira URL Cloud	malware
http://91.206.178.125/upload/upload.aspuip	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://91.206.178.125/upload/upload.asp.;	rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspf	rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspi	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspJ	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspj	rundll32.exe, 00000015.00000002.2450175834.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://91.206.178.125/upload/upload.asp	rundll32.exe, 00000015.00000003.2329071923.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2448645763.0000000180016000.00000002.00001000.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB28000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2449155633.0000003402DC4000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBA68000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspVe	rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspL	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asp6;	rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asp8;	rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/	rundll32.exe, 00000015.00000003.1906074262.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAFE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspB	rundll32.exe, 00000015.00000003.1905870521.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBAC6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBAE9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asphttp://91.206.17	rundll32.exe, 00000015.00000002.2448740513.0000000180051000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspD	rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspm32	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asp6	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asp?;	rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2329071923.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspz	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1685486906.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspG;	rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.asp$;	rundll32.exe, 00000015.00000002.2450175834.00000156BBB21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspT	rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://91.206.178.125/upload/upload.aspuip	rundll32.exe, 00000015.00000003.2329071923.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.2117386294.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000003.1905870521.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000015.00000002.2450175834.00000156BBB17000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.microsoft	rundll32.exe, 00000008.00000002.1259984640.000001DD2429E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
91.206.178.125	unknown	Poland		200088	ARTNET2PL	true

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1378285
Start date and time:	2024-01-21 14:59:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sql.tmp.dll.dll (renamed file extension from exe to dll)
Original Sample Name:	sql.tmp.dll.exe
Detection:	MAL
Classification:	mal96.evad.winDLL@16/2@0/1
EGA Information:	Successful, ratio: 20%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 292

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target rundll32.exe, PID 2436 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 2916 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3564 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 6276 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:59:59	API Interceptor	1x Sleep call for process: loaddll64.exe modified
16:03:04	API Interceptor	4x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARTNET2PL	UrQrIdRfCg.exe	Get hash	malicious	Unknown	Browse	185.104.112.62
	http://tldbonak.com	Get hash	malicious	Unknown	Browse	91.206.178.97
	7ECHtNYRdu.exe	Get hash	malicious	Vidar	Browse	185.104.114.24
	Wi50Ux1Ats.exe	Get hash	malicious	Vidar	Browse	185.104.114.24
	Divergencias.exe	Get hash	malicious	Maxtrilha	Browse	185.104.113.156
	Divergencias.exe	Get hash	malicious	Maxtrilha	Browse	185.104.113.156
	arm7.light	Get hash	malicious	Mirai	Browse	185.104.117.9
	https://www.baidu.com/link?url=4mpRKauJiWAf4vlM1pBe-ZhWFmBGHgY20t_xDsktmyq#jsewasen&74175	Get hash	malicious	Unknown	Browse	185.104.113.176

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	WfONwLlyCN.dll	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat	dumped.exe.dll.dll	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_512.db

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	64292
Entropy (8bit):	7.993842861841409
Encrypted:	true
SSDEEP:	1536:fG/IbDFxzHZxuU40HCX3T7YJPoY1FVer3DeTUvsisl:fcsF5HZ0JkW7aAgVerzkUNsl
MD5:	7B4731DCD1AEAC06C6363592CA283D30
SHA1:	A345EC8D4674912A29D17FD05AF68D51B15B4A43
SHA-256:	2A5DF2022F4736DA72937DD0637CCF751D21676FA580E1AD5B508FC8C1FC3627
SHA-512:	8588A6AFD5B9FEDE15C1D3623F4B39734998A83F4A9600D02AB5961E3EA213141DB8ED814493E614EF570F872107BBB09A3795406B5D5070E792C96416EE637E
Malicious:	false
Reputation:	low
Preview:	".......0....k......m.7(.sh..u.O.qng=M..O.1....JYwQ@M<.UiP..g.A.<.01.........>c.8.j..DYX.k.lwy..#..i. .hp.T...<.,..2..A....kB...'..+u....&.....N#.....o+.P....!.L.Y.......#..$.9..."....P.....H1....MR.\|...........D.....0.........e.............Q.V....D.J..u.....R=....;......e..3..&.g..i`..K.....`.4.X).i..h....m(..-.$t... ^...@.. .....m.....4.+..6P...~g.wd.gI.?.....G....t..........B..S..s..aI`CO.04..z...+.5b.l.i..F...^s{d..G.....x.G......e.......[cx>.P.....xs..vRVg.m....y.....Fpp.Qpn.2..#..$E.bK@...<..J....\|.....q.3V....$R[/.h.m..[.XJ.`F..15..\..........?.y..L.8...].l..."q.1#.uB.U..tP*.:...N...~d..N!.pC.r..}u.._......7kU...U..B.f.<......7.v..m......cNdY..O>.^T...}.fV..kZ....=z..v.......Te........;....;U.......!.. .i0.P f..b..K)1ff.8j..y.......Cv.V...h}T...8.x.....!r...\...#r.9.T.9v.9..H8....iu.F..b.7..P..1.>....~b..N'../t&!..>.........~...-3D..C...%<..;:...../}J..)U....)..2..<Yb.p........j$.."........z9..^..4.61n..B.F.;.DxL-Iw.....d..q..

C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Download File

Process:	C:\Windows\System32\rundll32.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	64000
Entropy (8bit):	5.816882886987605
Encrypted:	false
SSDEEP:	768:weQtV+Nia8Ol7zBOwpa5WWkZDDgAYtTKU/cY9Qvw2xHckDJXrsmgFM1xzHMyrPm:ZQt4Nl8uBOwyW/q9TKgQvw2Zhr2Avr
MD5:	420A13202D271BABC32BF8259CDADDF3
SHA1:	7221445C823D67F03B438A3C83583F9364A7F0B4
SHA-256:	00433EBF3B21C1C055D4AB8A599D3E84F03B328496236B54E56042CEF2146B1C
SHA-512:	F58E43C78680E7C80C0B85D06DDEA397B42297046FA33739550903BC8B8F156667103AB434343C124E097008F8FEF2A96A27D823AEA16928DE79FA74A96EF263
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 47% Antivirus: Virustotal, Detection: 57%, Browse
Joe Sandbox View:	Filename: WfONwLlyCN.dll, Detection: malicious, Browse Filename: dumped.exe.dll.dll, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?p..{...{...{...._g.z....gT.g....gU......ga.r...ril.x...{........gP......gd.z....gb.z...Rich{...................PE..d...l..d.........." .........`.......@.......................................`............@.............................................`...4...(....@.......0...............P..d.......................................................`............................text.............................. ..`.rdata..`8.......:..................@..@.data...h8..........................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Entropy (8bit):	7.867140875501513
TrID:	Win64 Dynamic Link Library (generic) (102004/3) 86.43% Win64 Executable (generic) (12005/4) 10.17% Generic Win/DOS Executable (2004/3) 1.70% DOS Executable Generic (2002/1) 1.70% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.01%
File name:	sql.tmp.dll.dll
File size:	325'632 bytes
MD5:	d8a8cc25bf5ef5b96ff7a64f663cbd29
SHA1:	d1e5e29c162566ce1d8a3d9c1a758fdbfef74174
SHA256:	aec915753612bb003330ce7ffc67cfa9d7e3c12310f0ecfd0b7e50abf427989a
SHA512:	703462497a8a85b00355ba7e572214fe84ea5151cd02adec6e76309fcaf06baf77e2846c3448ffb97ef8d8b0ad8b5edd2e434baad38eaa0f6855b04be461dcc7
SSDEEP:	6144:mYu+TNVHFjt0W8zPtkpYrKms8YlTl+0TMKJU/liMTXYBcr4w:I2L0W8zFkpVzFl+08/MMj1X
TLSH:	F664124D53692079E1269239C9E3DAB0E3B2740AA337D78E10D440AD4FB6FC6553EB36
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.E.).+.).+.).+.F...8.+.F.....+.F... .+. ....+.)..a.+.F...,.+.F...(.+.F...(.+.Rich).+.........PE..d......e.........." .....`.

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1800021c8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x180000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6500888E [Tue Sep 12 15:49:34 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	6faf0aa45f2399d434f7346ab64c7697

Entrypoint Preview

Instruction
dec eax
mov dword ptr [esp+08h], ebx
dec eax
mov dword ptr [esp+10h], esi
push edi
dec eax
sub esp, 20h
dec ecx
mov edi, eax
mov ebx, edx
dec eax
mov esi, ecx
cmp edx, 01h
jne 00007FCC9882E5C7h
call 00007FCC98830C28h
dec esp
mov eax, edi
mov edx, ebx
dec eax
mov ecx, esi
dec eax
mov ebx, dword ptr [esp+30h]
dec eax
mov esi, dword ptr [esp+38h]
dec eax
add esp, 20h
pop edi
jmp 00007FCC9882E46Ch
int3
int3
int3
dec eax
mov dword ptr [esp+08h], ecx
dec eax
sub esp, 00000088h
dec eax
lea ecx, dword ptr [0004D5A5h]
call dword ptr [00004E8Fh]
dec eax
mov eax, dword ptr [0004D690h]
dec eax
mov dword ptr [esp+58h], eax
inc ebp
xor eax, eax
dec eax
lea edx, dword ptr [esp+60h]
dec eax
mov ecx, dword ptr [esp+58h]
call 00007FCC988330AAh
dec eax
mov dword ptr [esp+50h], eax
dec eax
cmp dword ptr [esp+50h], 00000000h
je 00007FCC9882E603h
dec eax
mov dword ptr [esp+38h], 00000000h
dec eax
lea eax, dword ptr [esp+48h]
dec eax
mov dword ptr [esp+30h], eax
dec eax
lea eax, dword ptr [esp+40h]
dec eax
mov dword ptr [esp+28h], eax
dec eax
lea eax, dword ptr [0004D550h]
dec eax
mov dword ptr [esp+20h], eax
dec esp
mov ecx, dword ptr [esp+50h]
dec esp
mov eax, dword ptr [esp+58h]
dec eax
mov edx, dword ptr [esp+60h]
xor ecx, ecx
call 00007FCC98833058h
jmp 00007FCC9882E5E4h
dec eax
mov eax, dword ptr [eax+eax+00000000h]

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[ASM] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[EXP] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x99b0	0x68	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x92dc	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x1b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x51000	0x678	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x53000	0x150	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x7260	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e86	0x6000	False	0.584228515625	COM executable for DOS	6.2121408907473565	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x2a18	0x2c00	False	0.3407315340909091	data	4.534678953550281	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x46960	0x45800	False	0.9890470436151079	tar archive (V7), type ' ' 2\242\337-\231+, gid \020\02, size \020\020\020, linkname	7.9867891610328305	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x51000	0x678	0x800	False	0.4091796875	PEX Binary Archive	3.7250204960795466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x52000	0x1b4	0x200	False	0.48828125	data	5.106643411820809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x53000	0x538	0x600	False	0.18098958333333334	GLS_BINARY_LSB_FIRST	1.7459222921320916	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x52058	0x15a	ASCII text, with CRLF line terminators	English	United States	0.5491329479768786

Imports

DLL

Import

KERNEL32.dll

FreeLibrary, HeapAlloc, HeapFree, VirtualFree, GetProcessHeap, IsBadReadPtr, GetProcAddress, VirtualAlloc, LoadLibraryA, VirtualProtect, GetLastError, HeapReAlloc, GetCurrentThreadId, FlsSetValue, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, FlsGetValue, FlsFree, SetLastError, FlsAlloc, DecodePointer, HeapSetInformation, GetVersion, HeapCreate, HeapDestroy, RtlUnwindEx, Sleep, GetModuleHandleW, ExitProcess, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, GetStartupInfoW, DeleteCriticalSection, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringW, MultiByteToWideChar, GetStringTypeW, LeaveCriticalSection, EnterCriticalSection, WriteFile, GetModuleFileNameW, LoadLibraryW, HeapSize

Exports

Name	Ordinal	Address
CalculateSum	1	0x180001cc0
CalculateSumW	2	0x180001cd0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 21, 2024 15:00:22.784518957 CET	49704	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:23.786062956 CET	49704	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:25.801686049 CET	49704	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:29.817445993 CET	49704	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:37.817735910 CET	49704	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:43.960489035 CET	49705	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:44.973571062 CET	49705	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:46.989207983 CET	49705	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:50.989216089 CET	49705	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:00:58.989249945 CET	49705	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:06.007720947 CET	49709	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:07.004849911 CET	49709	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:09.020533085 CET	49709	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:13.020591021 CET	49709	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:21.020596027 CET	49709	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:27.164264917 CET	49710	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:28.176856995 CET	49710	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:30.176809072 CET	49710	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:34.192550898 CET	49710	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:42.192542076 CET	49710	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:48.319335938 CET	49711	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:49.333084106 CET	49711	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:51.333125114 CET	49711	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:01:55.348751068 CET	49711	80	192.168.2.7	91.206.178.125
Jan 21, 2024 15:02:03.348766088 CET	49711	80	192.168.2.7	91.206.178.125

Target ID:	0
Start time:	14:59:53
Start date:	21/01/2024
Path:	C:\Windows\System32\loaddll64.exe
Wow64 process (32bit):	false
Commandline:	loaddll64.exe "C:\Users\user\Desktop\sql.tmp.dll.dll"
Imagebase:	0x7ff741af0000
File size:	165'888 bytes
MD5 hash:	763455F9DCB24DFEECC2B9D9F8D46D52
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:59:53
Start date:	21/01/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:59:53
Start date:	21/01/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1
Imagebase:	0x7ff602cf0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:59:53
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSum
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	14:59:53
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",#1
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	14:59:54
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	RUNDLL32.exe C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Windows\system32\config\systemprofile\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	14:59:56
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\Users\user\Desktop\sql.tmp.dll.dll,CalculateSumW
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:59:59
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSum
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:59:59
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe "C:\Users\user\Desktop\sql.tmp.dll.dll",CalculateSumW
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:02:43
Start date:	21/01/2024
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	RUNDLL32.exe C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\usrgroup.dat,LoadDll C:\Users\user\AppData\Roaming\..\Local\Microsoft\Windows\Explorer\thumbcache_512.db "zjWy" 5555
Imagebase:	0x7ff6398d0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sql.tmp.dll.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_512.db

C:\Users\user\AppData\Local\Microsoft\Windows\usrgroup.dat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

Windows Analysis Report
sql.tmp.dll.dll