Analysis Report 2969281.dat.dll

Overview

General Information

Sample Name: 2969281.dat.dll
Analysis ID: 429074
MD5: a3fb3af5569f54615f09288f206db895
SHA1: c077f2de820ac81fc0c1e49462307798c07892cc
SHA256: 899df3d7c6bbee748a466b90794e3e223c413268d7ed76b6e80bb3eec3d1c9ee
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 10.2.explorer.exe.30b0000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "obama53", "Campaign": "1622633996", "Version": "402.68", "C2 list": ["96.61.23.88:995", "86.220.62.251:2222", "71.74.12.34:443", "75.67.192.125:443", "24.152.219.253:995", "105.198.236.101:443", "24.179.77.236:443", "47.22.148.6:443", "92.59.35.196:2222", "81.97.154.100:443", "207.246.116.237:443", "207.246.77.75:995", "45.32.211.207:2222", "45.77.115.208:443", "149.28.98.196:443", "45.77.115.208:2222", "144.202.38.185:995", "45.77.115.208:8443", "207.246.77.75:8443", "207.246.77.75:443", "144.202.38.185:2222", "45.77.117.108:995", "149.28.98.196:995", "149.28.101.90:443", "149.28.98.196:2222", "45.32.211.207:995", "144.202.38.185:443", "207.246.77.75:2222", "45.77.115.208:995", "45.77.117.108:443", "149.28.101.90:8443", "149.28.101.90:2222", "216.201.162.158:443", "73.151.236.31:443", "71.41.184.10:3389", "149.28.99.97:443", "149.28.99.97:995", "45.63.107.192:995", "149.28.99.97:2222", "72.240.200.181:2222", "97.69.160.4:2222", "136.232.34.70:443", "83.196.56.65:2222", "188.26.91.212:443", "140.82.49.12:443", "68.186.192.69:443", "95.77.223.148:443", "122.58.117.81:995", "197.45.110.165:995", "184.185.103.157:443", "71.187.170.235:443", "50.29.166.232:995", "92.96.3.180:2078", "27.223.92.142:995", "144.139.47.206:443", "50.244.112.106:443", "76.25.142.196:443", "75.118.1.141:443", "173.21.10.71:2222", "98.252.118.134:443", "98.192.185.86:443", "72.252.201.69:443", "67.165.206.193:993", "75.137.47.174:443", "109.12.111.14:443", "24.55.112.61:443", "190.85.91.154:443", "24.229.150.54:995", "189.210.115.207:443", "175.136.38.142:443", "83.110.108.161:2222", "100.2.123.234:443", "105.198.236.99:443", "81.214.126.173:2222", "68.204.7.158:443", "151.205.102.42:443", "149.28.101.90:995", "207.246.116.237:8443", "207.246.116.237:995", "45.77.117.108:2222", "45.32.211.207:443", "45.32.211.207:8443", "45.77.117.108:8443", "207.246.116.237:2222", "45.63.107.192:2222", "45.63.107.192:443", "172.78.18.142:443", "96.37.113.36:993", "24.122.166.173:443", "73.25.124.140:2222", "71.163.222.223:443", "24.139.72.117:443", "86.173.143.211:443", "47.196.213.73:443", "86.248.16.253:2222", "45.46.53.140:2222", "186.154.175.13:443", "70.163.161.79:443", "24.95.61.62:443", "78.63.226.32:443", "195.6.1.154:2222", "76.168.147.166:993", "64.121.114.87:443", "77.27.207.217:995", "31.4.242.233:995", "125.62.192.220:443", "195.12.154.8:443", "71.117.132.169:443", "96.21.251.127:2222", "71.199.192.62:443", "70.168.130.172:995", "82.12.157.95:995", "209.210.187.52:995", "209.210.187.52:443", "67.6.12.4:443", "189.222.59.177:443", "174.104.22.30:443", "142.117.191.18:2222", "189.146.183.105:443", "213.60.147.140:443", "196.221.207.137:995", "108.46.145.30:443", "187.250.238.164:995", "2.7.116.188:2222", "195.43.173.70:443", "106.250.150.98:443", "45.67.231.247:443", "83.110.103.152:443", "83.110.9.71:2222", "78.97.207.104:443", "59.90.246.200:443", "80.227.5.69:443", "125.63.101.62:443", "86.236.77.68:2222", "109.106.69.138:2222", "84.72.35.226:443", "217.133.54

Compliance:

barindex
Uses 32bit PE files
Source: 2969281.dat.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 2969281.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.477855450.0000000003972000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: winspool.pdbCJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.487860643.0000000000A72000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: profapi.pdbyJ[ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: c:\Are\901\Guess-hope\gentle\sky.pdb source: 2969281.dat.dll
Source: Binary string: propsys.pdb=J source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb[J9 source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbD source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdbmJ' source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbgJ- source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbUJ? source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: combase.pdbaJ3 source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbOJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbIJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BAEE4 FindFirstFileW,FindNextFileW, 11_2_001BAEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5AEE4 FindFirstFileW,FindNextFileW, 13_2_02F5AEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFAEE4 FindFirstFileW,FindNextFileW, 14_2_02EFAEE4

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000E.00000002.598521682.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 0000000D.00000002.462433553.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 0000000A.00000002.597547698.00000000030B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 0000000B.00000002.462194287.00000000001B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 10.2.explorer.exe.30b0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 11.2.explorer.exe.1b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 13.2.explorer.exe.2f50000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.3.rundll32.exe.49469ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 5.3.rundll32.exe.42b69ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.3.rundll32.exe.7569ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.loaddll32.exe.2e669ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 6.3.rundll32.exe.9069ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 13.2.explorer.exe.2f50000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 11.2.explorer.exe.1b0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 6.3.rundll32.exe.9069ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 14.2.explorer.exe.2ef0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 1.3.loaddll32.exe.2e669ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 14.2.explorer.exe.2ef0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 5.3.rundll32.exe.42b69ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 10.2.explorer.exe.30b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.3.rundll32.exe.7569ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.3.rundll32.exe.49469ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CA41E 11_2_001CA41E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CB00E 11_2_001CB00E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001B2008 11_2_001B2008
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C000A 11_2_001C000A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C9850 11_2_001C9850
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BD55B 11_2_001BD55B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C6D40 11_2_001C6D40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001B3988 11_2_001B3988
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001B29CA 11_2_001B29CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C75E0 11_2_001C75E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BDE03 11_2_001BDE03
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C8A00 11_2_001C8A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001B3A2E 11_2_001B3A2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CF66B 11_2_001CF66B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BDA98 11_2_001BDA98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CFE8F 11_2_001CFE8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CA718 11_2_001CA718
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BE355 11_2_001BE355
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BDBBC 11_2_001BDBBC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001CD7E4 11_2_001CD7E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5DA98 13_2_02F5DA98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6FE8F 13_2_02F6FE8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6F66B 13_2_02F6F66B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F53A2E 13_2_02F53A2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5DE03 13_2_02F5DE03
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F68A00 13_2_02F68A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6D7E4 13_2_02F6D7E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5DBBC 13_2_02F5DBBC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5E355 13_2_02F5E355
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6A718 13_2_02F6A718
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F69850 13_2_02F69850
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6A41E 13_2_02F6A41E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6B00E 13_2_02F6B00E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F6000A 13_2_02F6000A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F52008 13_2_02F52008
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F675E0 13_2_02F675E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F529CA 13_2_02F529CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F53988 13_2_02F53988
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5D55B 13_2_02F5D55B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F66D40 13_2_02F66D40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFDA98 14_2_02EFDA98
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0FE8F 14_2_02F0FE8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0F66B 14_2_02F0F66B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EF3A2E 14_2_02EF3A2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFDE03 14_2_02EFDE03
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F08A00 14_2_02F08A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0D7E4 14_2_02F0D7E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFDBBC 14_2_02EFDBBC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFE355 14_2_02EFE355
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0A718 14_2_02F0A718
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F09850 14_2_02F09850
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EF2008 14_2_02EF2008
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0A41E 14_2_02F0A41E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0000A 14_2_02F0000A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F0B00E 14_2_02F0B00E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F075E0 14_2_02F075E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EF29CA 14_2_02EF29CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EF3988 14_2_02EF3988
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F06D40 14_2_02F06D40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFD55B 14_2_02EFD55B
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 652
PE file does not import any functions
Source: 2969281.dat.dll.14.dr Static PE information: No import functions for PE file found
Source: 2969281.dat.dll.13.dr Static PE information: No import functions for PE file found
Source: 2969281.dat.dll.11.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Uses 32bit PE files
Source: 2969281.dat.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Yara signature match
Source: 0000000E.00000002.598521682.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0000000D.00000002.462433553.0000000002F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0000000A.00000002.597547698.00000000030B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 0000000B.00000002.462194287.00000000001B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 10.2.explorer.exe.30b0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 11.2.explorer.exe.1b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 13.2.explorer.exe.2f50000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.3.rundll32.exe.49469ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.3.rundll32.exe.42b69ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.3.rundll32.exe.7569ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.loaddll32.exe.2e669ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.3.rundll32.exe.9069ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 13.2.explorer.exe.2f50000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 11.2.explorer.exe.1b0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 6.3.rundll32.exe.9069ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 14.2.explorer.exe.2ef0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 1.3.loaddll32.exe.2e669ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 14.2.explorer.exe.2ef0000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 5.3.rundll32.exe.42b69ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 10.2.explorer.exe.30b0000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.3.rundll32.exe.7569ba.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.3.rundll32.exe.49469ba.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: classification engine Classification label: mal100.troj.evad.winDLL@28/7@0/0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001C26A6 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 11_2_001C26A6
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Dxlonvofgsii Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{CBD894A5-3240-43E0-AF05-6684A627E6ED}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess4888
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{0C8BCBDC-C8E7-4398-9FC5-AE0D06B91D7D}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{CBD894A5-3240-43E0-AF05-6684A627E6ED}
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9274.tmp Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: 2969281.dat.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Fineschool
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\2969281.dat.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2969281.dat.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Fineschool
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2969281.dat.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Heartwhite
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Replyclothe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn dtbexpme /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\2969281.dat.dll\'' /SC ONCE /Z /ST 15:03 /ET 15:15
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\2969281.dat.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\2969281.dat.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 652
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2969281.dat.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Fineschool Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Heartwhite Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\2969281.dat.dll,Replyclothe Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2969281.dat.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn dtbexpme /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\2969281.dat.dll\'' /SC ONCE /Z /ST 15:03 /ET 15:15 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Desktop\2969281.dat.dll' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 2969281.dat.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 2969281.dat.dll Static file information: File size 1169920 > 1048576
Source: 2969281.dat.dll Static PE information: Raw size of .text is bigger than: 0x100000 < 0x114600
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 2969281.dat.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 2969281.dat.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000016.00000003.477855450.0000000003972000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: winspool.pdbCJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000016.00000002.487860643.0000000000A72000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: profapi.pdbyJ[ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: c:\Are\901\Guess-hope\gentle\sky.pdb source: 2969281.dat.dll
Source: Binary string: propsys.pdb=J source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdbk source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb[J9 source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: mpr.pdbD source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: regsvr32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdbmJ' source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdbgJ- source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbUJ? source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: sfc.pdbK source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: combase.pdbaJ3 source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbOJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbIJ source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000016.00000003.482837623.0000000003D90000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000016.00000003.482843506.0000000003D96000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000016.00000003.482822553.0000000003C51000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BF1CA LoadLibraryA,GetProcAddress, 11_2_001BF1CA
PE file contains an invalid checksum
Source: 2969281.dat.dll Static PE information: real checksum: 0x125bee should be: 0x12d3ab
Source: 2969281.dat.dll.14.dr Static PE information: real checksum: 0x125bee should be: 0x1259db
Source: 2969281.dat.dll.13.dr Static PE information: real checksum: 0x125bee should be: 0x1259db
Source: 2969281.dat.dll.11.dr Static PE information: real checksum: 0x125bee should be: 0x1259db
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Desktop\2969281.dat.dll'
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001D5434 push cs; iretd 11_2_001D550A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001D5536 push cs; iretd 11_2_001D550A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001D56E6 push ebx; ret 11_2_001D56E7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F7A2FC push 00000000h; retf 13_2_02F7A36C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F756E6 push ebx; ret 13_2_02F756E7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F7B319 push esi; iretd 13_2_02F7B31E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F75434 push cs; iretd 13_2_02F7550A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F75536 push cs; iretd 13_2_02F7550A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F1A2FC push 00000000h; retf 14_2_02F1A36C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F156E6 push ebx; ret 14_2_02F156E7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F1B319 push esi; iretd 14_2_02F1B31E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F15434 push cs; iretd 14_2_02F1550A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02F15536 push cs; iretd 14_2_02F1550A

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Desktop\2969281.dat.dll Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn dtbexpme /tr 'regsvr32.exe -s \'C:\Users\user\Desktop\2969281.dat.dll\'' /SC ONCE /Z /ST 15:03 /ET 15:15

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5148 base: 2CF380 value: E9 6F 53 C2 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7044 base: 2CF380 value: E9 6F 53 DE 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7088 base: 2CF380 value: E9 6F 53 EE FF Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 852 base: 2CF380 value: E9 6F 53 C8 02 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contain functionality to detect virtual machines
Source: C:\Windows\SysWOW64\explorer.exe Code function: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq 11_2_001B70F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq 13_2_02F570F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq 14_2_02EF70F4
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 7092 Thread sleep count: 216 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 4592 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5856 Thread sleep time: -48000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BAEE4 FindFirstFileW,FindNextFileW, 11_2_001BAEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_02F5AEE4 FindFirstFileW,FindNextFileW, 13_2_02F5AEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EFAEE4 FindFirstFileW,FindNextFileW, 14_2_02EFAEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BF695 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 11_2_001BF695
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: WerFault.exe, 00000016.00000002.489954947.0000000003DB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000016.00000002.489954947.0000000003DB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000016.00000002.489954947.0000000003DB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq
Source: loaddll32.exe, 00000001.00000003.448574850.0000000002E40000.00000040.00000001.sdmp, rundll32.exe, 00000003.00000003.415944647.0000000000730000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000003.418742034.0000000004920000.00000040.00000001.sdmp, rundll32.exe, 00000005.00000003.436750253.0000000004290000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.597547698.00000000030B0000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.462194287.00000000001B0000.00000040.00000001.sdmp, explorer.exe, 0000000D.00000002.462433553.0000000002F50000.00000040.00000001.sdmp, explorer.exe, 0000000E.00000002.598521682.0000000002EF0000.00000040.00000001.sdmp Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btqpLK96CAU,68rqkHtQIaqOxVc JNdP SZO.DbGwp9VIS Kjh JoOr6ZcF,HE4AdiT,J uub0 KkOTfmDLpwJ51QbkiUhVZHqPQ hyniAMQXRZ5kT 7etjmEcp0nM1GGVVtzeS5ZW jui uS.v.WnxIfdxyvC jn6QJF.VtJh5QRInstHcu3Xy7UYYJjBPTGVtrAxqAkBlbR xwIrMVo7PBKO8 mwTp I1.Uw8d7l2DPxnV TS6k1pMNSl5Ifq8aMe xkorrTgQ.MPDyrtLYL0Xp5c173VPUppWpgi5tuZxZ3xJBeHg4E,XSHAN,asdFb 15w4Yjv3Sb8J v,LrFPUavTPjM20oTCfVCbhJYX5dBY0 FXY3WFSw6kkCIOPsBfdZqxAdh8Q1Q.ZEhMaj.QI4 XIJK2D feDA0sbowdMD0DTseXSbfLCL1qU,zh5s4qjz.rYEc7 UVwHrPGfCIQapdDCsOqDUFCmDZWW6S3ZxmAsODYIshg5znOqFBOOne8W96Xno TfSmEqbEyLne9csTniQN7m27rubkUsXgJZXZ1AZoifG7Qsr,P 19zSa6dOQ83Izi55Twq8Q9 VlgW1DNue6f69A85TPayKQ2632,fpvv2gwYyd9IJQKjxio0ZuntLQazpTw84wjg RabRLv5r.BghOeb, 32ArEm91SEO.oC,ZOQxckJ0jvBAuuk7YQ.UQdVLlrPidIpyinP9xdqqC6V93qpzwvtvt1tx0ry7mcChmGlVCXb4Mf.HT14JzrT,zKnUWUx pP s,8TgVDt.viommjbtyB8YJtfdS6SDLEJx6 2KfI0l7NDAuC9gN70g9h5QcBU7fTCKzEZGXS9CO9imQGo97fwISMozzSF6esABticErfTs 0T3QfV GXMTiFqLWuQRp17vZn a6 B7U4ymzbQO6ir7IUbc4eiaxvok6KQdpRQTxUX9rsEv9hkTH1ARTfrCjDK3 0N2dmotewb9lsPEjf3pIr3pFt9qt,sl49,iWeeidUxpaVtvuASL4IfgegYsdPQr2O0ffJ5vpnEFSkKnWNUklkr qoIb1 Cy,V1PcZV HHAwXoewfCwc7KuIACK.fOgcBU0.J0uSS5YQy02qhji3Zj BUANa7qGH WLoDxFL1E3hfesZwBN1Gv,cizaE.Uu F3LyBXmNwjhr54.mdGMx1pZiEAJLBAG.5uIHaXkNIkz2E0krJPDjXgWbM lYq2YOyn6vYr.DLce.mZwd6,itYSf393FDfpzN5hEz1EuPKzzMRgstQjukcovpDT 6wIi5nF.7dSXnZJ,MMyf5rWL0HgyWrPMzWZc.4J. ZdDHR7 DJFQLCL7o97cSsD3l19QwAvqOhK3vt6dUW1H3Nlk9dU3Cyf6aR.,FYTs C,itSeLOKy7xbL OFFD1aPybiKLXtTqLna L.9aqj3SF eVI 0OUjCaonTCBUIqksTWKagfc9Ga1PUE.8NkyiaYE80pLWrWPut 54 I26Lghi ymQ0.SGT vWXBjfNnAOLxbeXdiaW dH KGHt22vh6LF0kbZu6Qh7V322o7o7MSRq.NvC7AyoRKP5RLJb,IYAXZGSKpTz1SbMUtwU4NZbx6nJMp1pSbc
Source: WerFault.exe, 00000016.00000002.489954947.0000000003DB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BF1CA LoadLibraryA,GetProcAddress, 11_2_001BF1CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_02EF4589 RtlAddVectoredExceptionHandler, 14_2_02EF4589

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F30000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 30F0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 1F0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2F90000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5148 base: 2F30000 value: 9C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5148 base: 2CF380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7044 base: 30F0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7044 base: 2CF380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7088 base: 1F0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7088 base: 2CF380 value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 852 base: 2F90000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 852 base: 2CF380 value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\loaddll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F30000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CF380 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 30F0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CF380 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 1F0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CF380 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2F90000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CF380 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\2969281.dat.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: explorer.exe, 0000000E.00000002.599570898.00000000036E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000E.00000002.599570898.00000000036E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000E.00000002.599570898.00000000036E0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 0000000E.00000002.599570898.00000000036E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\loaddll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BCEF9 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 11_2_001BCEF9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001B8A0E LookupAccountNameW,IsValidCodePage, 11_2_001B8A0E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_001BF33E GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId, 11_2_001BF33E

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 0000000E.00000002.598521682.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436750253.0000000004290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.462433553.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.597547698.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.415944647.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.462194287.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418742034.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.446118350.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.448574850.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.explorer.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.2f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.49469ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.42b69ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.7569ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.loaddll32.exe.2e669ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.9069ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.2f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.9069ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.2ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.loaddll32.exe.2e669ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.2ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.42b69ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorer.exe.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.7569ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.49469ba.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 0000000E.00000002.598521682.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436750253.0000000004290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.462433553.0000000002F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.597547698.00000000030B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.415944647.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.462194287.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.418742034.0000000004920000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.446118350.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.448574850.0000000002E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 10.2.explorer.exe.30b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.2f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.49469ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.42b69ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.7569ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.loaddll32.exe.2e669ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.9069ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.explorer.exe.2f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.explorer.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.rundll32.exe.9069ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.2ef0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.loaddll32.exe.2e669ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.2ef0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.3.rundll32.exe.42b69ba.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.explorer.exe.30b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.7569ba.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.3.rundll32.exe.49469ba.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 429074 Sample: 2969281.dat.dll Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Yara detected Qbot 2->48 50 Sigma detected: Schedule system process 2->50 8 loaddll32.exe 1 2->8         started        11 regsvr32.exe 2->11         started        process3 signatures4 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->52 54 Injects code into the Windows Explorer (explorer.exe) 8->54 56 Writes to foreign memory regions 8->56 58 2 other signatures 8->58 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        22 2 other processes 8->22 20 regsvr32.exe 11->20         started        process5 file6 72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->72 74 Injects code into the Windows Explorer (explorer.exe) 13->74 76 Writes to foreign memory regions 13->76 25 explorer.exe 13->25         started        28 rundll32.exe 16->28         started        78 Allocates memory in foreign processes 18->78 80 Maps a DLL or memory area into another process 18->80 30 explorer.exe 18->30         started        32 WerFault.exe 20 9 20->32         started        42 C:\Users\user\Desktop\2969281.dat.dll, PE32 22->42 dropped 34 schtasks.exe 1 22->34         started        36 explorer.exe 22->36         started        signatures7 process8 signatures9 60 Contain functionality to detect virtual machines 25->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 25->62 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 28->64 66 Injects code into the Windows Explorer (explorer.exe) 28->66 68 Writes to foreign memory regions 28->68 70 2 other signatures 28->70 38 explorer.exe 28->38         started        40 conhost.exe 34->40         started        process10
No contacted IP infos