Windows Analysis Report IkroV40UrZ

Overview

General Information

Sample Name: IkroV40UrZ (renamed file extension from none to dll)
Analysis ID: 528696
MD5: 212599483786f352c8ed6cd9d80b5200
SHA1: 2eb94160502ad93a12731abeebd2088beff8566d
SHA256: cc38c2fffdb9221d3d579488c424a8d3df4d7bd0f61a9bb7a9f574f86daa788f
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 8.2.rundll32.exe.50e0000.14.raw.unpack Malware Configuration Extractor: Emotet {"Public Key": ["RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW", "RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0"], "C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"]}
Multi AV Scanner detection for submitted file
Source: IkroV40UrZ.dll Virustotal: Detection: 22% Perma Link
Machine Learning detection for sample
Source: IkroV40UrZ.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: IkroV40UrZ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA1A80 FindFirstFileW, 8_2_02DA1A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49753 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /fSauBpzYdxdutXQRhfFWvUQgIeYPAyASpVgdvBITrKg HTTP/1.1Cookie: S=6I/+QFVkcZtEzrIvT3k/4krcj0iik0utDUWBYWFm1M2gATilaTmPlb+FtYPm9vhOKqtO/fCkMWv0ru0nH5uWWukSSKNek4hSSgLUIigWtGu0L5pLKMyPnvsDMIGtSHshg/BMAZugrtxCBFzTPI37mmvxUjNbS+15CuLUIKmvh10CIS1l/qevcU+0nhAGddK2+7497jOsxcsoO1478ofWf4wArlXzjKbRIEPBEaRxell8LCtO0ghSUMednJzxj4jnHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: Joe Sandbox View IP Address: 78.46.73.125 78.46.73.125
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000015.00000003.879261346.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000015.00000003.879261346.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.879349402.0000021EFDD8B000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-23T19:02:05.3195648Z||.||797d024d-8c74-4faa-b6a6-08435801478b||1152921505694213184||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: rundll32.exe, rundll32.exe, 00000003.00000002.666401387.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.665163997.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.668704843.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1183420472.0000000010056000.00000002.00020000.sdmp, IkroV40UrZ.dll String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000015.00000002.894285353.0000021EFD4E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000015.00000002.894285353.0000021EFD4E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, rundll32.exe, 00000003.00000002.666401387.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.665163997.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.668704843.0000000010056000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.1183420472.0000000010056000.00000002.00020000.sdmp, IkroV40UrZ.dll String found in binary or memory: http://www.yahoo.com
Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.871484947.0000021EFDD91000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.871654813.0000021EFDD9B000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.872778773.0000021EFDD76000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000015.00000003.872803029.0000021EFE202000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872736736.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872761382.0000021EFDD9E000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872788484.0000021EFDD87000.00000004.00000001.sdmp, svchost.exe, 00000015.00000003.872778773.0000021EFDD76000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB1027 InternetReadFile, 8_2_02DB1027
Source: global traffic HTTP traffic detected: GET /fSauBpzYdxdutXQRhfFWvUQgIeYPAyASpVgdvBITrKg HTTP/1.1Cookie: S=6I/+QFVkcZtEzrIvT3k/4krcj0iik0utDUWBYWFm1M2gATilaTmPlb+FtYPm9vhOKqtO/fCkMWv0ru0nH5uWWukSSKNek4hSSgLUIigWtGu0L5pLKMyPnvsDMIGtSHshg/BMAZugrtxCBFzTPI37mmvxUjNbS+15CuLUIKmvh10CIS1l/qevcU+0nhAGddK2+7497jOsxcsoO1478ofWf4wArlXzjKbRIEPBEaRxell8LCtO0ghSUMednJzxj4jnHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49753 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023471 SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 3_2_10023471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10013EC9 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 3_2_10013EC9

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.4710000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4f00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.50e0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.50d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.50d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52f0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f70000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52f0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.50e0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.51c0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.51c0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f70000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4f00000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4710000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1181155000.0000000002870000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665726313.0000000004630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.664559498.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665957806.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182007350.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668227478.0000000004750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666321163.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666059201.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666260679.0000000004F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181931898.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181681043.0000000004C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181375522.0000000002D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666191269.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181870913.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181601971.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182479179.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181760635.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181809796.0000000004F00000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: IkroV40UrZ.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Paztjwaafuum\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10046A46 3_2_10046A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10010E3B 3_2_10010E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003FFA2 3_2_1003FFA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466441E 3_2_0466441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466F41F 3_2_0466F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467056A 3_2_0467056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04662043 3_2_04662043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046790BA 3_2_046790BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466A3DF 3_2_0466A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04669384 3_2_04669384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04664C00 3_2_04664C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467ECE3 3_2_0467ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467AEEB 3_2_0467AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467DEF4 3_2_0467DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04663845 3_2_04663845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046808D1 3_2_046808D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467D99A 3_2_0467D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04662A46 3_2_04662A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467CAA8 3_2_0467CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04677BB2 3_2_04677BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467E441 3_2_0467E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046744AA 3_2_046744AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467748A 3_2_0467748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04663502 3_2_04663502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466251C 3_2_0466251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046655E8 3_2_046655E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466C5FE 3_2_0466C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046825C3 3_2_046825C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466758F 3_2_0466758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04662654 3_2_04662654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467D6A7 3_2_0467D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04680687 3_2_04680687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467577E 3_2_0467577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467406E 3_2_0467406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466A048 3_2_0466A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046630F6 3_2_046630F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467D091 3_2_0467D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467F14D 3_2_0467F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466C158 3_2_0466C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467B1B5 3_2_0467B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04681193 3_2_04681193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466D223 3_2_0466D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04675220 3_2_04675220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466220A 3_2_0466220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466E21C 3_2_0466E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04667283 3_2_04667283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04663345 3_2_04663345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04681343 3_2_04681343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04662309 3_2_04662309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046803F1 3_2_046803F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046743B3 3_2_046743B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467B397 3_2_0467B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04661C76 3_2_04661C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466EC27 3_2_0466EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04668C09 3_2_04668C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04671C10 3_2_04671C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467CCD4 3_2_0467CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466CC8D 3_2_0466CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466AC95 3_2_0466AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04663C91 3_2_04663C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467AC9B 3_2_0467AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467FD10 3_2_0467FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04679DA1 3_2_04679DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04674D8D 3_2_04674D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466FD91 3_2_0466FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04669E22 3_2_04669E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467BEC9 3_2_0467BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04677ED1 3_2_04677ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466FEA0 3_2_0466FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04674E8A 3_2_04674E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04671F6B 3_2_04671F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04663F5C 3_2_04663F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467BFE8 3_2_0467BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04666FC4 3_2_04666FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04672FA2 3_2_04672FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466BFB6 3_2_0466BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04664F8E 3_2_04664F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467F83F 3_2_0467F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467A8F0 3_2_0467A8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046778A5 3_2_046778A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_046798BD 3_2_046798BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0468292B 3_2_0468292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04665923 3_2_04665923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04669A57 3_2_04669A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04681A3C 3_2_04681A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04661A0A 3_2_04661A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04670ADE 3_2_04670ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0466DAAE 3_2_0466DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04665AB2 3_2_04665AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04666B25 3_2_04666B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04680B34 3_2_04680B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04674BAA 3_2_04674BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A441E 7_2_047A441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BCAA8 7_2_047BCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B43B3 7_2_047B43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A1C76 7_2_047A1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B406E 7_2_047B406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A9A57 7_2_047A9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A2654 7_2_047A2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AA048 7_2_047AA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A2043 7_2_047A2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BE441 7_2_047BE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A2A46 7_2_047A2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A3845 7_2_047A3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C1A3C 7_2_047C1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BF83F 7_2_047BF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A9E22 7_2_047A9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AD223 7_2_047AD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B5220 7_2_047B5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AEC27 7_2_047AEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AF41F 7_2_047AF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AE21C 7_2_047AE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B1C10 7_2_047B1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A1A0A 7_2_047A1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A220A 7_2_047A220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A8C09 7_2_047A8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A4C00 7_2_047A4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BA8F0 7_2_047BA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A30F6 7_2_047A30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BDEF4 7_2_047BDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BAEEB 7_2_047BAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BECE3 7_2_047BECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B0ADE 7_2_047B0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B7ED1 7_2_047B7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C08D1 7_2_047C08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BCCD4 7_2_047BCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BBEC9 7_2_047BBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B90BA 7_2_047B90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B98BD 7_2_047B98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A5AB2 7_2_047A5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B44AA 7_2_047B44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047ADAAE 7_2_047ADAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AFEA0 7_2_047AFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BD6A7 7_2_047BD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B78A5 7_2_047B78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BAC9B 7_2_047BAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BD091 7_2_047BD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A3C91 7_2_047A3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AAC95 7_2_047AAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B4E8A 7_2_047B4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B748A 7_2_047B748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047ACC8D 7_2_047ACC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A7283 7_2_047A7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C0687 7_2_047C0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B577E 7_2_047B577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B1F6B 7_2_047B1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B056A 7_2_047B056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AC158 7_2_047AC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A3F5C 7_2_047A3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BF14D 7_2_047BF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A3345 7_2_047A3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C1343 7_2_047C1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C0B34 7_2_047C0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C292B 7_2_047C292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A5923 7_2_047A5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A6B25 7_2_047A6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A251C 7_2_047A251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BFD10 7_2_047BFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A2309 7_2_047A2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A3502 7_2_047A3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AC5FE 7_2_047AC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C03F1 7_2_047C03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A55E8 7_2_047A55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BBFE8 7_2_047BBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AA3DF 7_2_047AA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A6FC4 7_2_047A6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C25C3 7_2_047C25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B7BB2 7_2_047B7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047ABFB6 7_2_047ABFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BB1B5 7_2_047BB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B4BAA 7_2_047B4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B2FA2 7_2_047B2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B9DA1 7_2_047B9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BD99A 7_2_047BD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047AFD91 7_2_047AFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BB397 7_2_047BB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047C1193 7_2_047C1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A4F8E 7_2_047A4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A758F 7_2_047A758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047B4D8D 7_2_047B4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A9384 7_2_047A9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB08D1 8_2_02DB08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA7ED1 8_2_02DA7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DADEF4 8_2_02DADEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D930F6 8_2_02D930F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAECE3 8_2_02DAECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9AC95 8_2_02D9AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA748A 8_2_02DA748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D95AB2 8_2_02D95AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA44AA 8_2_02DA44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA78A5 8_2_02DA78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D92043 8_2_02D92043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D93845 8_2_02D93845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9441E 8_2_02D9441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9220A 8_2_02D9220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAF83F 8_2_02DAF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA5220 8_2_02DA5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9EC27 8_2_02D9EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D96FC4 8_2_02D96FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9C5FE 8_2_02D9C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D955E8 8_2_02D955E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9758F 8_2_02D9758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D99384 8_2_02D99384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9BFB6 8_2_02D9BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA4BAA 8_2_02DA4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA2FA2 8_2_02DA2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB0B34 8_2_02DB0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA0ADE 8_2_02DA0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DACCD4 8_2_02DACCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DABEC9 8_2_02DABEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAA8F0 8_2_02DAA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAAEEB 8_2_02DAAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAAC9B 8_2_02DAAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D93C91 8_2_02D93C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAD091 8_2_02DAD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA4E8A 8_2_02DA4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9CC8D 8_2_02D9CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D97283 8_2_02D97283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB0687 8_2_02DB0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA90BA 8_2_02DA90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA98BD 8_2_02DA98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DACAA8 8_2_02DACAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9DAAE 8_2_02D9DAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9FEA0 8_2_02D9FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAD6A7 8_2_02DAD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D92654 8_2_02D92654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D99A57 8_2_02D99A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9A048 8_2_02D9A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAE441 8_2_02DAE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D92A46 8_2_02D92A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D91C76 8_2_02D91C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA406E 8_2_02DA406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9E21C 8_2_02D9E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9F41F 8_2_02D9F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA1C10 8_2_02DA1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D98C09 8_2_02D98C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D91A0A 8_2_02D91A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D94C00 8_2_02D94C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB1A3C 8_2_02DB1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9D223 8_2_02D9D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D99E22 8_2_02D99E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9A3DF 8_2_02D9A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB25C3 8_2_02DB25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB03F1 8_2_02DB03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DABFE8 8_2_02DABFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAD99A 8_2_02DAD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9FD91 8_2_02D9FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB1193 8_2_02DB1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAB397 8_2_02DAB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA4D8D 8_2_02DA4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D94F8E 8_2_02D94F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA7BB2 8_2_02DA7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA43B3 8_2_02DA43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAB1B5 8_2_02DAB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA9DA1 8_2_02DA9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9C158 8_2_02D9C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D93F5C 8_2_02D93F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAF14D 8_2_02DAF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB1343 8_2_02DB1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D93345 8_2_02D93345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA577E 8_2_02DA577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA056A 8_2_02DA056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA1F6B 8_2_02DA1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D9251C 8_2_02D9251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DAFD10 8_2_02DAFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D92309 8_2_02D92309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D93502 8_2_02D93502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DB292B 8_2_02DB292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D95923 8_2_02D95923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D96B25 8_2_02D96B25
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041CAB appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10041DB8 appears 37 times
Source: IkroV40UrZ.dll Virustotal: Detection: 22%
Source: IkroV40UrZ.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IkroV40UrZ.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn",LTJacfTd
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IkroV40UrZ.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn",LTJacfTd Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Paztjwaafuum\wtlx.fdn",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@18/0@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA1B54 CreateToolhelp32Snapshot, 8_2_02DA1B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\IkroV40UrZ.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012024 FindResourceA,LoadResource,LockResource,FreeResource, 3_2_10012024
Source: rundll32.exe, 00000004.00000002.664870466.0000000002BA1000.00000004.00000020.sdmp Binary or memory string: ps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBP
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: IkroV40UrZ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: IkroV40UrZ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: IkroV40UrZ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: IkroV40UrZ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: IkroV40UrZ.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041D83 push ecx; ret 3_2_10041D96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041DFD push ecx; ret 3_2_10041E10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_04661229 push eax; retf 3_2_0466129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047A1229 push eax; retf 7_2_047A129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02D91229 push eax; retf 8_2_02D9129A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004D1EA
PE file contains an invalid checksum
Source: IkroV40UrZ.dll Static PE information: real checksum: 0xadad1 should be: 0xa7ceb

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Paztjwaafuum\wtlx.fdn:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C188 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000C188
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023C63 IsWindowVisible,IsIconic, 3_2_10023C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001CF24 GetParent,GetParent,IsIconic,GetParent, 3_2_1001CF24
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6660 Thread sleep time: -120000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100331CA __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_100331CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DA1A80 FindFirstFileW, 8_2_02DA1A80
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000015.00000002.894297090.0000021EFD4F8000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.894203243.0000021EFD482000.00000004.00000001.sdmp, svchost.exe, 00000015.00000002.894285353.0000021EFD4E9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100441C0
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004D1EA LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004D1EA
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0467DE10 mov eax, dword ptr fs:[00000030h] 3_2_0467DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_047BDE10 mov eax, dword ptr fs:[00000030h] 7_2_047BDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02DADE10 mov eax, dword ptr fs:[00000030h] 8_2_02DADE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100441C0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_100441C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004A1EC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1004A1EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003F29E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1003F29E

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\IkroV40UrZ.dll",#1 Jump to behavior
Source: rundll32.exe, 00000008.00000002.1181476990.0000000003170000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000008.00000002.1181476990.0000000003170000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000008.00000002.1181476990.0000000003170000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000008.00000002.1181476990.0000000003170000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,GetLocaleInfoA,__snwprintf_s,LoadLibraryA, 3_2_100199B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1004DE0C
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10048D61 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_10048D61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BFE6 _memset,GetVersionExA, 3_2_1000BFE6

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 8.2.rundll32.exe.4710000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c70000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d60000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4c70000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4f00000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c40000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2870000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.50e0000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.50d0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.50d0000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fe0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4750000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4fe0000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2870000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52f0000.18.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2ab0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4b90000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f70000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.52f0000.18.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.50e0000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.51c0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.51c0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f10000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.2d60000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4b90000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4c40000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ea0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4f70000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4ea0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4f00000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.4710000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.1181155000.0000000002870000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665726313.0000000004630000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.664559498.0000000002AB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.665957806.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182007350.00000000051C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.668227478.0000000004750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666321163.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666059201.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666260679.0000000004F70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181931898.00000000050E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181681043.0000000004C40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181375522.0000000002D60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.666191269.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181870913.0000000004FE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181601971.0000000004710000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1182479179.00000000052F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181760635.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.1181809796.0000000004F00000.00000040.00000001.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs