Windows Analysis Report tUJXpPwU27

Overview

General Information

Sample Name: tUJXpPwU27 (renamed file extension from none to dll)
Analysis ID: 528351
MD5: 15239e7be7ce6bfaf0681eb66bcde356
SHA1: 55dc2a27f408bf6437224ecfc62cc01a3311ec08
SHA256: 79036368e6229fa1c4eb724a34e4d10973feaa85628058f4ac1eaac6c1fcf19c
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Sigma detected: Emotet RunDLL32 Process Creation
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.2d042a8.1.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: tUJXpPwU27.dll Virustotal: Detection: 41% Perma Link
Source: tUJXpPwU27.dll ReversingLabs: Detection: 48%

Compliance:

barindex
Uses 32bit PE files
Source: tUJXpPwU27.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: tUJXpPwU27.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7FC8C1 FindFirstFileExA, 0_2_6E7FC8C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7FC8C1 FindFirstFileExA, 2_2_6E7FC8C1

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: Joe Sandbox View IP Address: 78.46.73.125 78.46.73.125

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.a85f00.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6c4390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6c4390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d042a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d042a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.a85f00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: tUJXpPwU27.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Cilqlpbnkp\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D6430 0_2_6E7D6430
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D5580 0_2_6E7D5580
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7F2E50 0_2_6E7F2E50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E800FF9 0_2_6E800FF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E9F89 0_2_6E7E9F89
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E9CDF 0_2_6E7E9CDF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7DED30 0_2_6E7DED30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7FBDD1 0_2_6E7FBDD1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D28D0 0_2_6E7D28D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E98C0 0_2_6E7E98C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E996D 0_2_6E7E996D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E802744 0_2_6E802744
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7EA50B 0_2_6E7EA50B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7EA250 0_2_6E7EA250
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7ED32D 0_2_6E7ED32D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E7307 0_2_6E7E7307
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E1300 0_2_6E7E1300
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7ED0FD 0_2_6E7ED0FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D6430 2_2_6E7D6430
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D5580 2_2_6E7D5580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7F2E50 2_2_6E7F2E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E800FF9 2_2_6E800FF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E9F89 2_2_6E7E9F89
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E9CDF 2_2_6E7E9CDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7DED30 2_2_6E7DED30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7FBDD1 2_2_6E7FBDD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D28D0 2_2_6E7D28D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E98C0 2_2_6E7E98C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E996D 2_2_6E7E996D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E802744 2_2_6E802744
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7EA50B 2_2_6E7EA50B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7EA250 2_2_6E7EA250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7ED32D 2_2_6E7ED32D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E7307 2_2_6E7E7307
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E1300 2_2_6E7E1300
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7ED0FD 2_2_6E7ED0FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B441E 3_2_007B441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CCAA8 3_2_007CCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C43B3 3_2_007C43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B1C76 3_2_007B1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C406E 3_2_007C406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B9A57 3_2_007B9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B2654 3_2_007B2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BA048 3_2_007BA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B2043 3_2_007B2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B2A46 3_2_007B2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CE441 3_2_007CE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B3845 3_2_007B3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D1A3C 3_2_007D1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CF83F 3_2_007CF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BD223 3_2_007BD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B9E22 3_2_007B9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C5220 3_2_007C5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BEC27 3_2_007BEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BF41F 3_2_007BF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BE21C 3_2_007BE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C1C10 3_2_007C1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B1A0A 3_2_007B1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B220A 3_2_007B220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B8C09 3_2_007B8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B4C00 3_2_007B4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CDEF4 3_2_007CDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CA8F0 3_2_007CA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B30F6 3_2_007B30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CAEEB 3_2_007CAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CECE3 3_2_007CECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C0ADE 3_2_007C0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CCCD4 3_2_007CCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D08D1 3_2_007D08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C7ED1 3_2_007C7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CBEC9 3_2_007CBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C98BD 3_2_007C98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C90BA 3_2_007C90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B5AB2 3_2_007B5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BDAAE 3_2_007BDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C44AA 3_2_007C44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C78A5 3_2_007C78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BFEA0 3_2_007BFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CD6A7 3_2_007CD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CAC9B 3_2_007CAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B3C91 3_2_007B3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CD091 3_2_007CD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BAC95 3_2_007BAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C4E8A 3_2_007C4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C748A 3_2_007C748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BCC8D 3_2_007BCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B7283 3_2_007B7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D0687 3_2_007D0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C577E 3_2_007C577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C056A 3_2_007C056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C1F6B 3_2_007C1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BC158 3_2_007BC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B3F5C 3_2_007B3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CF14D 3_2_007CF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B3345 3_2_007B3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D1343 3_2_007D1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D0B34 3_2_007D0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D292B 3_2_007D292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B5923 3_2_007B5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B6B25 3_2_007B6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B251C 3_2_007B251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CFD10 3_2_007CFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B2309 3_2_007B2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B3502 3_2_007B3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BC5FE 3_2_007BC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D03F1 3_2_007D03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B55E8 3_2_007B55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CBFE8 3_2_007CBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BA3DF 3_2_007BA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D25C3 3_2_007D25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B6FC4 3_2_007B6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CB1B5 3_2_007CB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BBFB6 3_2_007BBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C7BB2 3_2_007C7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C4BAA 3_2_007C4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C9DA1 3_2_007C9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C2FA2 3_2_007C2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CD99A 3_2_007CD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007BFD91 3_2_007BFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CB397 3_2_007CB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007D1193 3_2_007D1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007C4D8D 3_2_007C4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B758F 3_2_007B758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B4F8E 3_2_007B4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B9384 3_2_007B9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063441E 4_2_0063441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064CAA8 4_2_0064CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006443B3 4_2_006443B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064406E 4_2_0064406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00631C76 4_2_00631C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00632043 4_2_00632043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00632A46 4_2_00632A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064E441 4_2_0064E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00633845 4_2_00633845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063A048 4_2_0063A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00639A57 4_2_00639A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00632654 4_2_00632654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063D223 4_2_0063D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00639E22 4_2_00639E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00645220 4_2_00645220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063EC27 4_2_0063EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00651A3C 4_2_00651A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064F83F 4_2_0064F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00634C00 4_2_00634C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00631A0A 4_2_00631A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063220A 4_2_0063220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00638C09 4_2_00638C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00641C10 4_2_00641C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063F41F 4_2_0063F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063E21C 4_2_0063E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064ECE3 4_2_0064ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064AEEB 4_2_0064AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064DEF4 4_2_0064DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064A8F0 4_2_0064A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006330F6 4_2_006330F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064BEC9 4_2_0064BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064CCD4 4_2_0064CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006508D1 4_2_006508D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00647ED1 4_2_00647ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00640ADE 4_2_00640ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006478A5 4_2_006478A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063FEA0 4_2_0063FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064D6A7 4_2_0064D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063DAAE 4_2_0063DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006444AA 4_2_006444AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00635AB2 4_2_00635AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006498BD 4_2_006498BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006490BA 4_2_006490BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00637283 4_2_00637283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00650687 4_2_00650687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00644E8A 4_2_00644E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064748A 4_2_0064748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063CC8D 4_2_0063CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00633C91 4_2_00633C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064D091 4_2_0064D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063AC95 4_2_0063AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064AC9B 4_2_0064AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064056A 4_2_0064056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00641F6B 4_2_00641F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064577E 4_2_0064577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00633345 4_2_00633345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00651343 4_2_00651343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064F14D 4_2_0064F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063C158 4_2_0063C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00633F5C 4_2_00633F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00635923 4_2_00635923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00636B25 4_2_00636B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0065292B 4_2_0065292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00650B34 4_2_00650B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00633502 4_2_00633502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00632309 4_2_00632309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064FD10 4_2_0064FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063251C 4_2_0063251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006355E8 4_2_006355E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064BFE8 4_2_0064BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006503F1 4_2_006503F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063C5FE 4_2_0063C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_006525C3 4_2_006525C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00636FC4 4_2_00636FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063A3DF 4_2_0063A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00649DA1 4_2_00649DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00642FA2 4_2_00642FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00644BAA 4_2_00644BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064B1B5 4_2_0064B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063BFB6 4_2_0063BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00647BB2 4_2_00647BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00639384 4_2_00639384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00644D8D 4_2_00644D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063758F 4_2_0063758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00634F8E 4_2_00634F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0063FD91 4_2_0063FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064B397 4_2_0064B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00651193 4_2_00651193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064D99A 4_2_0064D99A
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E7E52A0 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7E52A0 appears 49 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: tUJXpPwU27.dll Binary or memory string: OriginalFilenameOnqeyxlcnp.dll6 vs tUJXpPwU27.dll
Source: tUJXpPwU27.dll Virustotal: Detection: 41%
Source: tUJXpPwU27.dll ReversingLabs: Detection: 48%
Source: tUJXpPwU27.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,aocchppr Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,atibsyaucowikobny Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu",ligDrVSARhbsLaD Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Cilqlpbnkp\gwjznuxweg.czu",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@26/0@0/20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E32C0 CoCreateInstance, 0_2_6E7E32C0
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\tUJXpPwU27.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7DE200 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 0_2_6E7DE200
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: tUJXpPwU27.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: tUJXpPwU27.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: tUJXpPwU27.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: tUJXpPwU27.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: tUJXpPwU27.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: tUJXpPwU27.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E807737 push ecx; ret 0_2_6E80774A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E52E6 push ecx; ret 0_2_6E7E52F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E807737 push ecx; ret 2_2_6E80774A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E52E6 push ecx; ret 2_2_6E7E52F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007B1229 push eax; retf 3_2_007B129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00631229 push eax; retf 4_2_0063129A
PE file contains an invalid checksum
Source: tUJXpPwU27.dll Static PE information: real checksum: 0x7f301 should be: 0x82190

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cilqlpbnkp\gwjznuxweg.czu:Zone.Identifier read attributes | delete Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E7307 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6E7E7307
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E483B642h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483859Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E48479C1h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E483B625h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E483B691h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E483B625h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E483B56Fh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E483B635h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E483CF8Eh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E48385B2h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483B62Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E4844931h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E4838595h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E4838601h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E4838595h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E48384DFh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E48385A5h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E4839EFEh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E7D6482 second address: 000000006E7D64B3 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-18h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD9E483B642h 0x0000000a mov dword ptr [ebp-20h], 09705DBFh 0x00000011 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E7D8047 second address: 000000006E7D805A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD9E483859Eh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E7D805A second address: 000000006E7D8047 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD9E48479C1h 0x00000014 cmp ecx, dword ptr [6E81E008h] 0x0000001a jne 00007FD9E483B625h 0x0000001d ret 0x0000001f mov esp, ebp 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov edx, dword ptr [ebp-24h] 0x00000026 mov edi, eax 0x00000028 jmp 00007FD9E483B691h 0x0000002a mov al, byte ptr [esi] 0x0000002c cmp al, 61h 0x0000002e movzx eax, al 0x00000031 jc 00007FD9E483B625h 0x00000033 add edi, FFFFFFE0h 0x00000036 mov ecx, dword ptr [ebp-18h] 0x00000039 add edi, eax 0x0000003b mov eax, dword ptr [ebp-50h] 0x0000003e inc esi 0x0000003f add ecx, 0000FFFFh 0x00000045 mov dword ptr [ebp-34h], edi 0x00000048 mov dword ptr [ebp-44h], esi 0x0000004b mov dword ptr [ebp-74h], esi 0x0000004e mov dword ptr [ebp-18h], ecx 0x00000051 test cx, cx 0x00000054 jne 00007FD9E483B56Fh 0x0000005a cmp eax, dword ptr [ebp-30h] 0x0000005d jl 00007FD9E483B635h 0x0000005f mov edx, 0000000Dh 0x00000064 mov ecx, edi 0x00000066 call 00007FD9E483CF8Eh 0x0000006b push ebp 0x0000006c mov ebp, esp 0x0000006e and esp, FFFFFFF8h 0x00000071 sub esp, 0Ch 0x00000074 mov eax, dword ptr [6E81E008h] 0x00000079 xor eax, esp 0x0000007b mov dword ptr [esp+08h], eax 0x0000007f push esi 0x00000080 mov esi, ecx 0x00000082 rdtscp
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D6430 rdtscp 0_2_6E7D6430
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7FC8C1 FindFirstFileExA, 0_2_6E7FC8C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7FC8C1 FindFirstFileExA, 2_2_6E7FC8C1
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E78AF IsDebuggerPresent,OutputDebugStringW, 0_2_6E7E78AF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E7C71 GetProcessHeap,HeapFree, 0_2_6E7E7C71
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D6430 rdtscp 0_2_6E7D6430
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D6430 mov edi, dword ptr fs:[00000030h] 0_2_6E7D6430
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E7B5A mov esi, dword ptr fs:[00000030h] 0_2_6E7E7B5A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D6320 mov eax, dword ptr fs:[00000030h] 0_2_6E7D6320
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7F607A mov eax, dword ptr fs:[00000030h] 0_2_6E7F607A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D8080 mov eax, dword ptr fs:[00000030h] 0_2_6E7D8080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D6430 mov edi, dword ptr fs:[00000030h] 2_2_6E7D6430
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E7B5A mov esi, dword ptr fs:[00000030h] 2_2_6E7E7B5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D6320 mov eax, dword ptr fs:[00000030h] 2_2_6E7D6320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7F607A mov eax, dword ptr fs:[00000030h] 2_2_6E7F607A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D8080 mov eax, dword ptr fs:[00000030h] 2_2_6E7D8080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_007CDE10 mov eax, dword ptr fs:[00000030h] 3_2_007CDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0064DE10 mov eax, dword ptr fs:[00000030h] 4_2_0064DE10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E48F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E7E48F9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7EE411 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E7EE411
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E517D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E7E517D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E48F9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E7E48F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7EE411 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E7EE411
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7E517D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E7E517D

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\tUJXpPwU27.dll",#1 Jump to behavior
Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000012.00000002.1171696447.00000000030F0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E804E7C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E7FD9CB
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E8056E7
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E8057B4
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E7FD466
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E8054B7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E8055E0
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E805267
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E8050F4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E80504B
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E8051DA
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E80513F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E804E7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E7FD9CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E8056E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E8057B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E7FD466
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E8054B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E8055E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E805267
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E8050F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E80504B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E8051DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E80513F
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E4FD6 cpuid 0_2_6E7E4FD6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7E52FC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E7E52FC

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.a85f00.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6c4390.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.8b4350.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6c4390.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.8b4350.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d042a8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d042a8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.a85f00.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1000235837.000000000099C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.977580541.0000000002CEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.997848622.0000000002E95000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.997168710.00000000006AA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1134773374.0000000000A6A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.998474628.000000000089A000.00000004.00000020.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E7D1890 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_6E7D1890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E7D1890 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 2_2_6E7D1890
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs