Source: K5hW6I5xeA.dll |
Virustotal: Detection: 28% |
Perma Link |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc, |
2_2_6EA52300 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA54940 CryptAcquireContextA, |
2_2_6EA54940 |
Source: K5hW6I5xeA.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: K5hW6I5xeA.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA57045 FindFirstFileExA, |
2_2_6EA57045 |
Source: loaddll32.exe, 00000002.00000002.836708742.0000000000F7B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc, |
2_2_6EA52300 |
Source: K5hW6I5xeA.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52A10 |
2_2_6EA52A10 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA5C678 |
2_2_6EA5C678 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA51000 |
2_2_6EA51000 |
Source: K5hW6I5xeA.dll |
Virustotal: Detection: 28% |
Source: K5hW6I5xeA.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 |
Jump to behavior |
Source: classification engine |
Classification label: mal68.troj.evad.winDLL@11/0@0/0 |
Source: K5hW6I5xeA.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: K5hW6I5xeA.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: K5hW6I5xeA.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: K5hW6I5xeA.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: K5hW6I5xeA.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: K5hW6I5xeA.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA53C66 push ecx; ret |
2_2_6EA53C79 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp |
Source: C:\Windows\SysWOW64\rundll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D6476A404h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp |
Source: C:\Windows\System32\loaddll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp |
Source: C:\Windows\System32\loaddll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp |
Source: C:\Windows\System32\loaddll32.exe |
RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52570 rdtscp |
2_2_6EA52570 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA57045 FindFirstFileExA, |
2_2_6EA57045 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6EA53A9C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA56AEE mov eax, dword ptr fs:[00000030h] |
2_2_6EA56AEE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA528D0 mov eax, dword ptr fs:[00000030h] |
2_2_6EA528D0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h] |
2_2_6EA52DF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h] |
2_2_6EA52DF0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA55900 mov eax, dword ptr fs:[00000030h] |
2_2_6EA55900 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA5817A GetProcessHeap, |
2_2_6EA5817A |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA52570 rdtscp |
2_2_6EA52570 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6EA53A9C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA56B21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6EA56B21 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA535A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_6EA535A6 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 |
Jump to behavior |
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp |
Binary or memory string: Program Manager |
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp |
Binary or memory string: Progman |
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp |
Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA53C7C cpuid |
2_2_6EA53C7C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 2_2_6EA536C7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
2_2_6EA536C7 |
Source: Yara match |
File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY |