Analysis Report ERRoqGpsIS

Overview

General Information

Sample Name: ERRoqGpsIS (renamed file extension from none to dll)
Analysis ID: 352815
MD5: d2852a3b2a20846528cec53426fd5f9c
SHA1: 1fa892f9280708e7c82e958bec516bb2b09351f3
SHA256: 8e50da51386c2f267afaf1a419e4467d62c01c9704f0e17c4aa188d0c090c8b2
Tags: zloader2

Most interesting Screenshot:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Contains functionality to inject code into remote processes
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Queries the product ID of Windows
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll Virustotal: Detection: 57% Perma Link
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll Metadefender: Detection: 24% Perma Link
Source: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: ERRoqGpsIS.dll Virustotal: Detection: 57% Perma Link
Source: ERRoqGpsIS.dll Metadefender: Detection: 24% Perma Link
Source: ERRoqGpsIS.dll ReversingLabs: Detection: 50%

Compliance:

barindex
Uses 32bit PE files
Source: ERRoqGpsIS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_008215D0 FindFirstFileW,FindNextFileW, 14_2_008215D0

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov byte ptr [ebp+edi-50h], al 0_2_6E4D0230
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov al, byte ptr [edx+ebx] 0_2_6E4CEAB0
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov edi, 00000002h 0_2_6E4B2730
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h] 0_2_6E4C9BF0
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then xor ebx, ebx 0_2_6E4BEB90
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then inc edi 0_2_6E4C1F90
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al 0_2_6E4CF870
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then mov esi, dword ptr [6E4D66F0h+edi*4] 0_2_6E4C88F0
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then movsx ebx, byte ptr [esi] 0_2_6E4C1D60
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then push dword ptr [ebp-14h] 0_2_6E4B7170
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then add esi, 02h 0_2_6E4CE970
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov esi, dword ptr [008266F0h+edi*4] 14_2_008188F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov byte ptr [ebp+ebx-00000084h], al 14_2_0081F870
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then movsx ebx, byte ptr [esi] 14_2_00811D60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then push dword ptr [ebp-14h] 14_2_00807170
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then add esi, 02h 14_2_0081E970
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov al, byte ptr [edx+ebx] 14_2_0081EAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov byte ptr [ebp+edi-50h], al 14_2_00820230
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then xor ebx, ebx 14_2_0080EB90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then inc edi 14_2_00811F90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov edi, dword ptr [ebp+ebx*4-00000114h] 14_2_00819BF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then mov edi, 00000002h 14_2_00802730

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: earfetti.com
Source: loaddll32.exe, 00000000.00000002.302144785.000000006E51C000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll String found in binary or memory: http://www.enoughthose.de8
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown HTTPS traffic detected: 104.21.45.75:443 -> 192.168.2.3:49728 version: TLS 1.2

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\System32\loaddll32.exe Process Stats: CPU usage > 98%
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2B90 0_2_6E4B2B90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B3E10 0_2_6E4B3E10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BB3D0 0_2_6E4BB3D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4CA000 0_2_6E4CA000
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B68C0 0_2_6E4B68C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C88F0 0_2_6E4C88F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4B2DD0 0_2_6E4B2DD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4BC9A0 0_2_6E4BC9A0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EBECF 0_2_6E4EBECF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F275F 0_2_6E4F275F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F2CA3 0_2_6E4F2CA3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F221B 0_2_6E4F221B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4F4236 0_2_6E4F4236
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_008068C0 14_2_008068C0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_008188F0 14_2_008188F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_0081A000 14_2_0081A000
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_0080C9A0 14_2_0080C9A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00802DD0 14_2_00802DD0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00803E10 14_2_00803E10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00802B90 14_2_00802B90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_0080B3D0 14_2_0080B3D0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E4E97D8 appears 34 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: ERRoqGpsIS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: ERRoqGpsIS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: inaxa.dll.14.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal60.evad.winDLL@3/1@1/1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_0080E070 AdjustTokenPrivileges, 14_2_0080E070
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Ilgyr Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{AE3C19F7-A2D0-F8C5-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{8E4429F7-92D0-D8BD-70B9-D0EFD3468FD7}
Source: C:\Windows\SysWOW64\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\{3EAD2B6B-904C-6854-70B9-D0EFD3468FD7}
Source: ERRoqGpsIS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: ERRoqGpsIS.dll Virustotal: Detection: 57%
Source: ERRoqGpsIS.dll Metadefender: Detection: 24%
Source: ERRoqGpsIS.dll ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ERRoqGpsIS.dll'
Source: unknown Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe Jump to behavior
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: ERRoqGpsIS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\FindHeard\EndLook\ChartBegan\WinSentence\Rain.pdb source: loaddll32.exe, 00000000.00000002.302107930.000000006E4F5000.00000002.00020000.sdmp, msiexec.exe, 0000000E.00000003.310516773.0000000001100000.00000004.00000001.sdmp, ERRoqGpsIS.dll
Source: ERRoqGpsIS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: ERRoqGpsIS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: ERRoqGpsIS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: ERRoqGpsIS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: ERRoqGpsIS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress, 0_2_6E4CF870
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C0380 push eax; ret 0_2_6E4C038A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4DF6C6 push FFFFFFFFh; ret 0_2_6E4DF6D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4DDC4B push esp; ret 0_2_6E4DDC7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D9C73 push es; iretd 0_2_6E4D9D28
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D9CB3 push es; iretd 0_2_6E4D9D28
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E981D push ecx; ret 0_2_6E4E9830
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4D98AA push esp; ret 0_2_6E4D98B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E509381 push eax; ret 0_2_6E5093B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E509400 push eax; ret 0_2_6E5093B1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00823CEA push D85411E4h; iretd 14_2_00823CF6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00810380 push eax; ret 14_2_0081038A

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\msiexec.exe File created: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EDA28 sldt word ptr [eax] 0_2_6E4EDA28
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\msiexec.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Ilgyr\inaxa.dll Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_008215D0 FindFirstFileW,FindNextFileW, 14_2_008215D0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E8B05
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4CF870 LoadLibraryA,GetProcAddress, 0_2_6E4CF870
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4C3E90 mov eax, dword ptr fs:[00000030h] 0_2_6E4C3E90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E50A2F7 mov eax, dword ptr fs:[00000030h] 0_2_6E50A2F7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E509E34 push dword ptr fs:[00000030h] 0_2_6E509E34
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E50A22D mov eax, dword ptr fs:[00000030h] 0_2_6E50A22D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 14_2_00813E90 mov eax, dword ptr fs:[00000030h] 14_2_00813E90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EFE11 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 0_2_6E4EFE11
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EAE48 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E4EAE48
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E8B05 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E8B05
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4E9009 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E4E9009

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4CDD00 CreateProcessA,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,GetThreadContext,VirtualProtectEx,SetThreadContext,VirtualProtectEx,ResumeThread,ExitProcess, 0_2_6E4CDD00
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\msiexec.exe msiexec.exe Jump to behavior
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: msiexec.exe, 0000000E.00000002.556778882.00000000032C0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_6E4F1A50
Queries the product ID of Windows
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E4EF1C8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_6E4EF1C8
Source: C:\Windows\SysWOW64\msiexec.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352815 Sample: ERRoqGpsIS Startdate: 14/02/2021 Architecture: WINDOWS Score: 60 17 Multi AV Scanner detection for dropped file 2->17 19 Multi AV Scanner detection for submitted file 2->19 6 loaddll32.exe 1 2->6         started        process3 signatures4 21 Contains functionality to inject code into remote processes 6->21 9 msiexec.exe 2 29 6->9         started        process5 dnsIp6 15 earfetti.com 104.21.45.75, 443, 49728, 49740 CLOUDFLARENETUS United States 9->15 13 C:\Users\user\AppData\Roaming\...\inaxa.dll, PE32 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.45.75
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
earfetti.com 104.21.45.75 true