Windows Analysis Report 0G0AO3HYEI

Overview

General Information

Sample Name: 0G0AO3HYEI (renamed file extension from none to dll)
Analysis ID: 492188
MD5: c50f692a715db805e68e9655ff6a9ab2
SHA1: 229b257301ed99d518364afd22c4276daa5b3d20
SHA256: ff3aa75e4d4637599d3e97fb8b42ce8a1254425f856671ae56377df2676b1033
Tags: Dridexexe
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
PE file has nameless sections
Potential time zone aware malware
Uses Windows timers to delay execution
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains an invalid checksum
PE file contains strange resources
PE file contains more sections than normal
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: 0G0AO3HYEI.dll Virustotal: Detection: 58% Perma Link
Source: 0G0AO3HYEI.dll ReversingLabs: Detection: 62%
Source: 0G0AO3HYEI.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004FBF8 FindFirstFileExW, 1_2_000000014004FBF8
Source: explorer.exe, 00000006.00000000.280007192.0000000006870000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 00000011.00000002.531717710.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.532357019.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.531718093.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.531527593.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.531894805.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.533238918.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.531244676.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.532059437.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.531418646.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.532290767.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.531716160.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.532228237.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.531206986.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.531295536.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.531585014.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.532418928.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.531937010.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.531718874.0000000140001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.532276672.0000000140001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
PE file has nameless sections
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400421C8 1_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400431CC 1_2_00000001400431CC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400504E4 1_2_00000001400504E4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003A688 1_2_000000014003A688
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004271C 1_2_000000014004271C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400447B8 1_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140027954 1_2_0000000140027954
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053AF0 1_2_0000000140053AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140045BE0 1_2_0000000140045BE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004ED58 1_2_000000014004ED58
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026FF0 1_2_0000000140026FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019054 1_2_0000000140019054
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001C05C 1_2_000000014001C05C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005078 1_2_0000000140005078
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053094 1_2_0000000140053094
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400330C4 1_2_00000001400330C4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003B0C8 1_2_000000014003B0C8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400380D0 1_2_00000001400380D0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003F0FC 1_2_000000014003F0FC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140063102 1_2_0000000140063102
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140052110 1_2_0000000140052110
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001311C 1_2_000000014001311C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001154 1_2_0000000140001154
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400311B0 1_2_00000001400311B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400021C8 1_2_00000001400021C8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400231DC 1_2_00000001400231DC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006D1F0 1_2_000000014006D1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032214 1_2_0000000140032214
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002A214 1_2_000000014002A214
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002E228 1_2_000000014002E228
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035268 1_2_0000000140035268
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140046264 1_2_0000000140046264
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140069278 1_2_0000000140069278
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002F278 1_2_000000014002F278
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004B288 1_2_000000014004B288
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140068292 1_2_0000000140068292
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400362A0 1_2_00000001400362A0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400172A8 1_2_00000001400172A8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001E2E4 1_2_000000014001E2E4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029320 1_2_0000000140029320
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000732C 1_2_000000014000732C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002C348 1_2_000000014002C348
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140038424 1_2_0000000140038424
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006B428 1_2_000000014006B428
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005343C 1_2_000000014005343C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005B470 1_2_000000014005B470
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F4C8 1_2_000000014004F4C8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001B52C 1_2_000000014001B52C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026540 1_2_0000000140026540
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140044584 1_2_0000000140044584
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140061598 1_2_0000000140061598
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004759C 1_2_000000014004759C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400215FC 1_2_00000001400215FC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140051620 1_2_0000000140051620
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032648 1_2_0000000140032648
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140053644 1_2_0000000140053644
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140067663 1_2_0000000140067663
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001A66C 1_2_000000014001A66C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003C6B0 1_2_000000014003C6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001D6C4 1_2_000000014001D6C4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400356F4 1_2_00000001400356F4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004F708 1_2_000000014004F708
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024718 1_2_0000000140024718
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001276C 1_2_000000014001276C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000F76C 1_2_000000014000F76C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140056790 1_2_0000000140056790
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400557DC 1_2_00000001400557DC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057820 1_2_0000000140057820
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003E8E0 1_2_000000014003E8E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400258FC 1_2_00000001400258FC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005C8FC 1_2_000000014005C8FC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006D904 1_2_000000014006D904
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005918 1_2_0000000140005918
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140020924 1_2_0000000140020924
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140068928 1_2_0000000140068928
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140031928 1_2_0000000140031928
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140019928 1_2_0000000140019928
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024940 1_2_0000000140024940
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002D95C 1_2_000000014002D95C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032964 1_2_0000000140032964
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005497C 1_2_000000014005497C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140033984 1_2_0000000140033984
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400479E0 1_2_00000001400479E0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002CA14 1_2_000000014002CA14
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006BA1C 1_2_000000014006BA1C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140002A20 1_2_0000000140002A20
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026A24 1_2_0000000140026A24
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AA90 1_2_000000014002AA90
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140005AB8 1_2_0000000140005AB8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001CAC8 1_2_000000014001CAC8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006AAD8 1_2_000000014006AAD8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140024AEC 1_2_0000000140024AEC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140041AF4 1_2_0000000140041AF4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002BB18 1_2_000000014002BB18
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000EB3C 1_2_000000014000EB3C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140014B68 1_2_0000000140014B68
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140001B74 1_2_0000000140001B74
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB7A 1_2_000000014002AB7A
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB7F 1_2_000000014002AB7F
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB84 1_2_000000014002AB84
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006B88 1_2_0000000140006B88
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB89 1_2_000000014002AB89
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB8E 1_2_000000014002AB8E
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB93 1_2_000000014002AB93
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB98 1_2_000000014002AB98
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AB9D 1_2_000000014002AB9D
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002ABA2 1_2_000000014002ABA2
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002ABA7 1_2_000000014002ABA7
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001DBB8 1_2_000000014001DBB8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000BBC4 1_2_000000014000BBC4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140003BE0 1_2_0000000140003BE0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140034BF8 1_2_0000000140034BF8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140050BF4 1_2_0000000140050BF4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140016BFC 1_2_0000000140016BFC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005ABFC 1_2_000000014005ABFC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140036C08 1_2_0000000140036C08
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140029C1C 1_2_0000000140029C1C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140026C30 1_2_0000000140026C30
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003CC38 1_2_000000014003CC38
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140035C80 1_2_0000000140035C80
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140022C84 1_2_0000000140022C84
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140032CC8 1_2_0000000140032CC8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004CCD4 1_2_000000014004CCD4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003BCE4 1_2_000000014003BCE4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140015D04 1_2_0000000140015D04
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001AD0C 1_2_000000014001AD0C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140037D24 1_2_0000000140037D24
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001CD24 1_2_000000014001CD24
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005CD24 1_2_000000014005CD24
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001FD44 1_2_000000014001FD44
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140052D60 1_2_0000000140052D60
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000AD5C 1_2_000000014000AD5C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014003DDA4 1_2_000000014003DDA4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140050DA8 1_2_0000000140050DA8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005CDAB 1_2_000000014005CDAB
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140030DC0 1_2_0000000140030DC0
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140051DE4 1_2_0000000140051DE4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140018DE8 1_2_0000000140018DE8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006BE28 1_2_000000014006BE28
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140006E34 1_2_0000000140006E34
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014002AE48 1_2_000000014002AE48
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140068E58 1_2_0000000140068E58
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014001EE68 1_2_000000014001EE68
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140004E68 1_2_0000000140004E68
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014000CEAC 1_2_000000014000CEAC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140011EB4 1_2_0000000140011EB4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140014EBC 1_2_0000000140014EBC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140013ED4 1_2_0000000140013ED4
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140057FA8 1_2_0000000140057FA8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014005CFCA 1_2_000000014005CFCA
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140047FCC 1_2_0000000140047FCC
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140025FD4 1_2_0000000140025FD4
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400455F8 NtAllocateVirtualMemory, 1_2_00000001400455F8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140059688 NtTerminateProcess, 1_2_0000000140059688
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004386C NtDelayExecution, 1_2_000000014004386C
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140049CF8 NtClose, 1_2_0000000140049CF8
PE file contains executable resources (Code or Archives)
Source: 0G0AO3HYEI.dll Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains strange resources
Source: 0G0AO3HYEI.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 0G0AO3HYEI.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE file contains more sections than normal
Source: 0G0AO3HYEI.dll Static PE information: Number of sections : 28 > 10
Source: 0G0AO3HYEI.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 0G0AO3HYEI.dll Virustotal: Detection: 58%
Source: 0G0AO3HYEI.dll ReversingLabs: Detection: 62%
Source: 0G0AO3HYEI.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll'
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DeviceInternetSettingUiW Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDevice Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverA Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiInstallDriverW Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiRollbackDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDevice Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiShowUpdateDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDevice Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverA Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,DiUninstallDriverW Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,GetInternetPolicies Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallNewDevice Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallSelectedDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriver Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDriverEx Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,InstallWindowsUpdateDrivers Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db Jump to behavior
Source: classification engine Classification label: mal72.troj.evad.winDLL@45/0@0/0
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\0G0AO3HYEI.dll,CheckDriverSoftwareDependenciesSatisfied
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: unknown Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 0G0AO3HYEI.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: 0G0AO3HYEI.dll Static file information: File size 1110016 > 1048576
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_CURSOR
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_BITMAP
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_ICON
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_MENU
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_DIALOG
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_STRING
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_ACCELERATOR
Source: 0G0AO3HYEI.dll Static PE information: section name: RT_GROUP_ICON
Source: 0G0AO3HYEI.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: 0G0AO3HYEI.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: ntdll.pdb source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: loaddll64.exe, 00000001.00000003.411800362.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.256715020.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000004.00000003.256417536.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000008.00000003.263803630.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.271733095.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000A.00000003.279171463.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000003.288178811.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000011.00000003.295451294.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000003.303409299.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000003.310728417.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000018.00000003.318939594.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001A.00000003.328403002.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.335755306.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001E.00000003.343665130.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 0000001F.00000003.352054462.0000000180000000.00000004.00000001.sdmp, rundll32.exe, 00000021.00000003.359110630.0000000180000000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006E5C9 push 00000031h; retf 1_2_000000014006E5CB
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014006E6A4 push rsp; retf 1_2_000000014006E6A5
PE file contains sections with non-standard names
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
Source: 0G0AO3HYEI.dll Static PE information: section name:
PE file contains an invalid checksum
Source: 0G0AO3HYEI.dll Static PE information: real checksum: 0x70461819 should be: 0x11e8a9
Source: initial sample Static PE information: section name: .text entropy: 7.84727441246

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Potential time zone aware malware
Source: C:\Windows\explorer.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\explorer.exe System information queried: CurrentTimeZoneInformation
Source: C:\Windows\explorer.exe System information queried: CurrentTimeZoneInformation
Uses Windows timers to delay execution
Source: C:\Windows\explorer.exe User Timer Set: Timeout: 500ms
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\loaddll64.exe TID: 6492 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 6492 Thread sleep count: 232 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 648 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 412 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 388 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 599 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 633 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 585
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 566
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 400
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 490
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 390
Source: C:\Windows\System32\rundll32.exe Window / User API: threadDelayed 399
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400447B8 GetTokenInformation,GetTokenInformation,GetSystemInfo, 1_2_00000001400447B8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_000000014004FBF8 FindFirstFileExW, 1_2_000000014004FBF8
Source: explorer.exe, 00000006.00000000.266283482.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.266283482.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000C.00000000.307251989.000000000054D000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000V
Source: explorer.exe, 00000006.00000000.269976007.000000000EE70000.00000004.00000001.sdmp Binary or memory string: 0000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000006.00000000.261140112.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.266971589.0000000008C73000.00000004.00000001.sdmp Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
Source: explorer.exe, 00000006.00000000.266399504.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000006.00000000.266555490.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000006.00000000.269976007.000000000EE70000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}||
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}_3
Source: explorer.exe, 00000006.00000000.280701146.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 0000000C.00000000.307214159.0000000000538000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}k

Anti Debugging:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_00000001400421C8 LdrLoadDll, 1_2_00000001400421C8
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140045800 RtlAddVectoredExceptionHandler, 1_2_0000000140045800

HIPS / PFW / Operating System Protection Evasion:

barindex
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0G0AO3HYEI.dll',#1 Jump to behavior
Source: explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.279867449.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.352492281.0000000004A10000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.354870844.0000000005570000.00000004.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp Binary or memory string: Program Manager"
Source: explorer.exe, 0000001B.00000000.347528150.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Program Manager/
Source: explorer.exe, 0000000C.00000000.307251989.000000000054D000.00000004.00000020.sdmp Binary or memory string: ProgmanG
Source: explorer.exe, 0000001B.00000000.343461857.00000000010A9000.00000004.00000020.sdmp Binary or memory string: Progman~D
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWndStart
Source: rundll32.exe, 00000004.00000002.537719544.0000028680000000.00000002.00020000.sdmp, explorer.exe, 00000006.00000000.260396404.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp, explorer.exe, 0000001B.00000000.347528150.00000000017E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.259975951.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000C.00000000.307798770.0000000000BD0000.00000002.00020000.sdmp Binary or memory string: OProgram Manager
Source: explorer.exe, 00000006.00000000.266399504.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj
Source: explorer.exe, 0000001B.00000003.350412249.0000000004AD4000.00000004.00000001.sdmp Binary or memory string: Progman#Y
Source: explorer.exe, 0000000C.00000000.309606315.0000000004677000.00000004.00000001.sdmp Binary or memory string: Progmanllw{v

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 1_2_0000000140043FF0 GetUserNameW, 1_2_0000000140043FF0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492188 Sample: 0G0AO3HYEI Startdate: 28/09/2021 Architecture: WINDOWS Score: 72 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Dridex unpacked file 2->32 34 PE file has nameless sections 2->34 8 loaddll64.exe 1 2->8         started        10 explorer.exe 2->10         started        13 explorer.exe 124 2->13         started        15 explorer.exe 2->15         started        process3 signatures4 17 cmd.exe 1 8->17         started        19 rundll32.exe 8->19         started        21 rundll32.exe 8->21         started        23 15 other processes 8->23 38 Uses Windows timers to delay execution 10->38 40 Potential time zone aware malware 10->40 process5 process6 25 rundll32.exe 17->25         started        signatures7 36 Queues an APC in another process (thread injection) 25->36 28 explorer.exe 25->28 injected process8
No contacted IP infos