Analysis Report v1Us5AICBm

Overview

General Information

Sample Name: v1Us5AICBm (renamed file extension from none to dll)
Analysis ID: 329945
MD5: e0af3054669d6232870b87e1e239a689
SHA1: f0aa6e50471e70d07a1b70207f38538cb31ed569
SHA256: f8503947e0e984865a29d1e3f8a62ce7034069f49c2a2dd902af68274f192224
Tags: zloader2

Most interesting Screenshot:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the product ID of Windows
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll ReversingLabs: Detection: 27%
Multi AV Scanner detection for submitted file
Source: v1Us5AICBm.dll Virustotal: Detection: 47% Perma Link
Source: v1Us5AICBm.dll ReversingLabs: Detection: 27%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Xyd\yvek.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: v1Us5AICBm.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.10000000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: 12.2.msiexec.exe.350000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW, 12_2_0035F4E0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then push 0000000Ah 0_2_1000D830
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov eax, dword ptr [edi-08h] 0_2_10018830
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then add esi, 02h 0_2_1001CE40
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then push 00000000h 0_2_1001DA70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then push 0000000Ah 12_2_0035D830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov eax, dword ptr [edi-08h] 12_2_00368830
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then push 00000000h 12_2_0036DA70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then add esi, 02h 12_2_0036CE40

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 70.32.23.56 70.32.23.56
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00351AF0 InternetReadFile, 12_2_00351AF0
Source: unknown DNS traffic detected: queries for: www.businessinsurancelaw.com
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp String found in binary or memory: http://apps.ident
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: http://apps.identrust.comw
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp String found in binary or memory: http://cps.ro
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp String found in binary or memory: http://crl.co
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: msiexec.exe, 0000000C.00000003.303630468.0000000000938000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationA
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: msiexec.exe, 0000000C.00000003.339000834.0000000000957000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp String found in binary or memory: http://crt.comodoca.o
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: msiexec.exe, 0000000C.00000003.306019326.0000000000938000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.cog
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: msiexec.exe, 0000000C.00000003.337005926.0000000000963000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://lamun.pk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://lamun.pk/R
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://lamun.pk/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://lamun.pk/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.308169882.0000000000938000.00000004.00000001.sdmp String found in binary or memory: https://lamun.pk/wp-punch.phpT%
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://lamun.pk/wp-punch.phpc
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://squire.ae/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://squire.ae/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://squire.ae/wp-punch.php?
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://thecype.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://thecype.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://thecype.com/wp-punch.php)
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://thecype.com/wp-punch.phpefaults
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/J
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/f
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/j
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp, msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.php;
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpSNfc)
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://theterteboltallbrow.tk/wp-smarts.phpider
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.businessinsurancelaw.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.php(
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phpVe
Source: msiexec.exe, 0000000C.00000003.303659662.0000000000909000.00000004.00000001.sdmp String found in binary or memory: https://www.businessinsurancelaw.com/wp-punch.phptw
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/crosoft
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/wp-punch.php
Source: msiexec.exe, 0000000C.00000002.565307219.00000000008C8000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/wp-punch.php;
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpH
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/wp-punch.phpr
Source: msiexec.exe, 0000000C.00000002.565639783.000000000091B000.00000004.00000020.sdmp String found in binary or memory: https://www.rcclabbd.com/z#
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\System32\loaddll32.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009C60 0_2_10009C60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003A30 0_2_10003A30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009A60 0_2_10009A60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1001DA70 0_2_1001DA70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10015BF0 0_2_10015BF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00359C60 12_2_00359C60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00353A30 12_2_00353A30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0036DA70 12_2_0036DA70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00359A60 12_2_00359A60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00365BF0 12_2_00365BF0
Sample file is different than original file name gathered from version info
Source: v1Us5AICBm.dll Binary or memory string: OriginalFilenamehole.dll8 vs v1Us5AICBm.dll
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: v1Us5AICBm.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: yvek.dll.12.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal68.evad.winDLL@3/1@11/5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00369C90 AdjustTokenPrivileges, 12_2_00369C90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next, 0_2_100169A0
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Xyd Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7}
Source: v1Us5AICBm.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: v1Us5AICBm.dll Virustotal: Detection: 47%
Source: v1Us5AICBm.dll ReversingLabs: Detection: 27%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\v1Us5AICBm.dll'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe Jump to behavior
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: v1Us5AICBm.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Hundredsure\northSoil\goend\TogetherChild\hole.pdb source: loaddll32.exe, 00000000.00000002.295157206.0000000010051000.00000002.00020000.sdmp, msiexec.exe, 0000000C.00000003.300345501.00000000045B0000.00000004.00000001.sdmp, v1Us5AICBm.dll
Source: v1Us5AICBm.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: v1Us5AICBm.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: v1Us5AICBm.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: v1Us5AICBm.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: v1Us5AICBm.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress, 0_2_1000D830
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002807C push eax; ret 0_2_100280D9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002E11B pushad ; ret 0_2_1002E11C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002E9F0 push eax; ret 0_2_1002E9F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002A228 push ebx; retf 0_2_1002A22E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10026E58 push FFFFFFFBh; retf 0_2_10026E62
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002779B push ecx; iretd 0_2_100277AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1002EBA8 push edi; retf 0_2_1002EBB2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005FB42 push ebx; ret 0_2_1005FB4A
Source: initial sample Static PE information: section name: .text entropy: 6.97945124569
Source: initial sample Static PE information: section name: .text entropy: 6.97945124569

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Xyd\yvek.dll Jump to dropped file

Malware Analysis System Evasion:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next, 0_2_100169A0
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Xyd\yvek.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_0035F4E0 FindFirstFileW,FindNextFileW, 12_2_0035F4E0
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: msiexec.exe, 0000000C.00000003.303670263.000000000091B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW,

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100169A0 CreateToolhelp32Snapshot,GetCurrentProcessId,Thread32First,GetLastError,Thread32Next, 0_2_100169A0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000D830 LoadLibraryA,GetProcAddress, 0_2_1000D830
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10012EF0 mov eax, dword ptr fs:[00000030h] 0_2_10012EF0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005C98D mov eax, dword ptr fs:[00000030h] 0_2_1005C98D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005C8C3 mov eax, dword ptr fs:[00000030h] 0_2_1005C8C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1005C4CA push dword ptr fs:[00000030h] 0_2_1005C4CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 12_2_00362EF0 mov eax, dword ptr fs:[00000030h] 12_2_00362EF0

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000AE40 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess, 0_2_1000AE40
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe Jump to behavior
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp Binary or memory string: Progman
Source: msiexec.exe, 0000000C.00000002.568812035.0000000003160000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the product ID of Windows
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001A00 CreateDialogParamW,GetVersion, 0_2_10001A00
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 329945 Sample: v1Us5AICBm Startdate: 13/12/2020 Architecture: WINDOWS Score: 68 21 Multi AV Scanner detection for dropped file 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Machine Learning detection for sample 2->25 27 Machine Learning detection for dropped file 2->27 6 loaddll32.exe 1 2->6         started        process3 signatures4 29 Contains functionality to inject code into remote processes 6->29 9 msiexec.exe 2 33 6->9         started        process5 dnsIp6 15 rcclabbd.com 192.254.225.195, 443, 49738, 49739 UNIFIEDLAYER-AS-1US United States 9->15 17 lamun.pk 67.23.227.19, 443, 49737 DIMENOCUS United States 9->17 19 7 other IPs or domains 9->19 13 C:\Users\user\AppData\Roaming\Xyd\yvek.dll, PE32 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.254.225.195
 unknown United States
46606 UNIFIEDLAYER-AS-1US false
192.3.183.226
 unknown United States
36352 AS-COLOCROSSINGUS false
70.32.23.56
 unknown United States
55293 A2HOSTINGUS false
67.23.227.19
 unknown United States
33182 DIMENOCUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
squire.ae 70.32.23.56 true
lamun.pk 67.23.227.19 true
rcclabbd.com 192.254.225.195 true
businessinsurancelaw.com 70.32.23.56 true
thecype.com 192.3.183.226 true
www.businessinsurancelaw.com unknown unknown
theterteboltallbrow.tk unknown unknown
www.rcclabbd.com unknown unknown