Play interactive tour

Edit tour

Windows Analysis Report K5hW6I5xeA

Overview

General Information

Sample Name:	K5hW6I5xeA (renamed file extension from none to dll)
Analysis ID:	531949
MD5:	d89375ecbc2638d71f6cc446947adb71
SHA1:	d9cd4340910bd1dd2f3d576fd7ea5fdfd6671060
SHA256:	e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Emotet

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6692 cmdline: loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 4592 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5880 cmdline: rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4344 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6376 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6752 cmdline: rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Unpacked PEs

Source	Rule	Description	Author
9.2.rundll32.exe.4d30000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.4d30000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: K5hW6I5xeA.dll

Virustotal: Detection: 28%

Perma Link

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc,
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA54940 CryptAcquireContextA,

Source: K5hW6I5xeA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: K5hW6I5xeA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA57045 FindFirstFileExA,

Source: loaddll32.exe, 00000002.00000002.836708742.0000000000F7B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52300 CryptDecrypt,CryptSetKeyParam,CryptReleaseContext,CryptDestroyKey,CryptImportKey,CryptAcquireContextA,CryptAcquireContextA,CryptImportKey,VirtualAlloc,

Source: K5hW6I5xeA.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52A10
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA5C678
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA51000

Source: K5hW6I5xeA.dll

Virustotal: Detection: 28%

Source: K5hW6I5xeA.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1

Source: classification engine

Classification label: mal68.troj.evad.winDLL@11/0@0/0

Source: K5hW6I5xeA.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: K5hW6I5xeA.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53C66 push ecx; ret

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D6476A404h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525AA second address: 000000006EA525B9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+60h], 00000000h 0x0000000b mov dword ptr [esp+60h], ecx 0x0000000f rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525B9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+5Ch], 00000000h 0x0000000b mov dword ptr [esp+5Ch], ecx 0x0000000f nop dword ptr [eax+eax+00000000h] 0x00000017 inc esi 0x00000018 mov dword ptr [esp+64h], 00000000h 0x00000020 rdtscp
Source: C:\Windows\System32\loaddll32.exe	RDTSC instruction interceptor: First address: 000000006EA525D9 second address: 000000006EA525D9 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+64h], ecx 0x00000007 movd xmm0, esi 0x0000000b cvtdq2pd xmm0, xmm0 0x0000000f comisd xmm2, xmm0 0x00000013 jnc 00007F4D65053704h 0x00000015 inc esi 0x00000016 mov dword ptr [esp+64h], 00000000h 0x0000001e rdtscp

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52570 rdtscp

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA57045 FindFirstFileExA,

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA56AEE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA528D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA52DF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA55900 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA5817A GetProcessHeap,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA52570 rdtscp

Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA53A9C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA56B21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 2_2_6EA535A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1

Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000005.00000002.900961569.0000000002CD0000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.815423711.0000000002CF0000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.898119052.0000000002BF0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.902935015.00000000038A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA53C7C cpuid

Source: C:\Windows\System32\loaddll32.exe

Code function: 2_2_6EA536C7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.4d30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Rundll321	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Data Encrypted for Impact1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Security Software Discovery13	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery112	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
K5hW6I5xeA.dll	28%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
9.2.rundll32.exe.4d30000.0.unpack	100%	Avira	HEUR/AGEN.1110387		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531949
Start date:	01.12.2021
Start time:	15:23:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	K5hW6I5xeA (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winDLL@11/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 89.5%) Quality average: 75.8% Quality standard deviation: 32.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded domains from analysis (whitelisted): client.wns.windows.com, ctldl.windowsupdate.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.673697209310638
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	K5hW6I5xeA.dll
File size:	273920
MD5:	d89375ecbc2638d71f6cc446947adb71
SHA1:	d9cd4340910bd1dd2f3d576fd7ea5fdfd6671060
SHA256:	e523b545ce399ceb37ba1fb400ba5e7a285e6d4c1e3ae5bbd5607ce538b64ac7
SHA512:	46a132edd6e8765b11d14a2dd995617fcffe04c081a028b7339f06db7653ec2ea91870fc123bc21cab39c84bbecf70c6a08a6e1e72705835697790a813773ba0
SSDEEP:	6144:I+/WjBDXCrZukVAAYCcVwnmU3PbnvOWRPyrLzP:lWGACc2PlRKrLzP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}.`d9..79..79..7J..63..7J..6...7J..6+..7k..6%..7k..66..7k..6+..7J..6:..79..7k..7...60..7...68..7...78..7...68..7Rich9..7.......

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10003583
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A7688F [Wed Dec 1 12:20:31 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	3bc41ab907dcf32970630360a7a2019f

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4D64AB75D7h
call 00007F4D64AB7758h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F4D64AB7488h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1000E00Ch]
push dword ptr [ebp+08h]
call dword ptr [1000E008h]
push C0000409h
call dword ptr [1000E010h]
push eax
call dword ptr [1000E014h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call 00007F4D64AC0C36h
test eax, eax
je 00007F4D64AB75D7h
push 00000002h
pop ecx
int 29h
mov dword ptr [10043868h], eax
mov dword ptr [10043864h], ecx
mov dword ptr [10043860h], edx
mov dword ptr [1004385Ch], ebx
mov dword ptr [10043858h], esi
mov dword ptr [10043854h], edi
mov word ptr [10043880h], ss
mov word ptr [10043874h], cs
mov word ptr [10043850h], ds
mov word ptr [1004384Ch], es
mov word ptr [10043848h], fs
mov word ptr [10043844h], gs
pushfd
pop dword ptr [10043878h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [1004386Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [10043870h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x42400	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4257c	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x48000	0xea4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41f80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc387	0xc400	False	0.582011320153	data	6.66250995052	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x34b56	0x34c00	False	0.730320645735	data	6.21371435728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x43000	0x30d0	0x800	False	0.16357421875	data	2.04808247088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0xf8	0x200	False	0.3359375	data	2.52739185048	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x48000	0xea4	0x1000	False	0.763671875	data	6.28630296444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x47060	0x91	XML 1.0 document text	English	United States

Imports

DLL

Import

KERNEL32.dll

GetProcessHeap, WriteConsoleW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, InterlockedFlushSList, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, RaiseException, ExitProcess, GetModuleHandleExW, GetModuleFileNameA, MultiByteToWideChar, WideCharToMultiByte, HeapAlloc, HeapFree, FindClose, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetStdHandle, GetFileType, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10002540
ewjabexomfikq	2	0x10002810
fkehpgdsrju	3	0x10002890
hccjznkicyecp	4	0x10002860
hdekbiavwfv	5	0x100028a0
jhvbaqehqk	6	0x10002880
neqhjiziu	7	0x10002850
nlrehsflisyuqnf	8	0x10002830
qgtkxvadqyopue	9	0x10002820
rawlhsccualjvyace	10	0x100028b0
tjyttnnknxvspvdyq	11	0x100028c0
useprszs	12	0x10002840
wjainmjvfb	13	0x10002800
wrenlws	14	0x10002870

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6692 Parent PID: 5724

General

Start time:	15:24:09
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll"
Imagebase:	0x240000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 4592 Parent PID: 6692

General

Start time:	15:24:09
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4344 Parent PID: 6692

General

Start time:	15:24:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,Control_RunDLL
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5880 Parent PID: 4592

General

Start time:	15:24:10
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\K5hW6I5xeA.dll",#1
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6376 Parent PID: 6692

General

Start time:	15:24:14
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,ewjabexomfikq
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6752 Parent PID: 6692

General

Start time:	15:24:18
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\K5hW6I5xeA.dll,fkehpgdsrju
Imagebase:	0x80000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.914221138.0000000004D30000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report K5hW6I5xeA

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 6692 Parent PID: 5724

General

Analysis Process: cmd.exe PID: 4592 Parent PID: 6692

General

Analysis Process: rundll32.exe PID: 4344 Parent PID: 6692