Windows Analysis Report K5hW6I5xeA

Overview

General Information

Sample Name: K5hW6I5xeA (renamed file extension from none to dll)
Analysis ID: 531949
MD5: d89375ecbc2638d71f6cc446947adb71
SHA1: d9cd4340910bd1dd2f3d576fd7ea5fdfd6671060
SHA256: e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Emotet
Multi AV Scanner detection for submitted file
Tries to detect virtualization through RDTSC time measurements
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Contains functionality for execution timing, often used to detect debuggers

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: K5hW6I5xeA.dll Virustotal: Detection: 28% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc, 2_2_6EA52300
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA54940 CryptAcquireContextA, 2_2_6EA54940

Compliance:

barindex
Uses 32bit PE files
Source: K5hW6I5xeA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: K5hW6I5xeA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA57045 FindFirstFileExA, 2_2_6EA57045

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000002.00000002.836708742.0000000000F7B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc, 2_2_6EA52300

System Summary:

barindex
Uses 32bit PE files
Source: K5hW6I5xeA.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52A10 2_2_6EA52A10
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA5C678 2_2_6EA5C678
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA51000 2_2_6EA51000
Source: K5hW6I5xeA.dll Virustotal: Detection: 28%
Source: K5hW6I5xeA.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 Jump to behavior
Source: classification engine Classification label: mal68.troj.evad.winDLL@11/0@0/0
Source: K5hW6I5xeA.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: K5hW6I5xeA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: K5hW6I5xeA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: K5hW6I5xeA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: K5hW6I5xeA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: K5hW6I5xeA.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA53C66 push ecx; ret 2_2_6EA53C79
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D6476A404h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52570 rdtscp 2_2_6EA52570
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA57045 FindFirstFileExA, 2_2_6EA57045

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EA53A9C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA56AEE mov eax, dword ptr fs:[00000030h] 2_2_6EA56AEE
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA528D0 mov eax, dword ptr fs:[00000030h] 2_2_6EA528D0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h] 2_2_6EA52DF0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h] 2_2_6EA52DF0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA55900 mov eax, dword ptr fs:[00000030h] 2_2_6EA55900
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA5817A GetProcessHeap, 2_2_6EA5817A
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA52570 rdtscp 2_2_6EA52570
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EA53A9C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA56B21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6EA56B21
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA535A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6EA535A6

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 Jump to behavior
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA53C7C cpuid 2_2_6EA53C7C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6EA536C7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6EA536C7

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 531949 Sample: K5hW6I5xeA Startdate: 01/12/2021 Architecture: WINDOWS Score: 68 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected Emotet 2->23 7 loaddll32.exe 1 2->7         started        process3 signatures4 25 Tries to detect virtualization through RDTSC time measurements 7->25 10 rundll32.exe 7->10         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 rundll32.exe 7->17         started        process5 signatures6 27 Tries to detect virtualization through RDTSC time measurements 10->27 19 rundll32.exe 13->19         started        process7
No contacted IP infos