Windows Analysis Report spZRMihlrkFGqYq1f.dll

Overview

General Information

Sample Name: spZRMihlrkFGqYq1f.dll
Analysis ID: 531996
MD5: 9f4fa905fd685d28c4ff28f24ad224a1
SHA1: e186e0869276d3af6465d7c754b22527c7ac2ced
SHA256: 808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.rundll32.exe.5970000.12.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: spZRMihlrkFGqYq1f.dll Metadefender: Detection: 42% Perma Link
Source: spZRMihlrkFGqYq1f.dll ReversingLabs: Detection: 56%

Compliance:

barindex
Uses 32bit PE files
Source: spZRMihlrkFGqYq1f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002592C lstrlenA,FindFirstFileA,FindClose, 3_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_1002F3E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE1A80 FindFirstFileW, 7_2_04EE1A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49775 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ HTTP/1.1Cookie: BbabBTNqIR=qrh4znIW0vRoZUgVJJVgzfQvY9C+RpRussFCR/fGFdtMBlPVybXrZsLF92dUNSOaN7UtApPRkIXlq1+7rNMFKl/GD+kwN0+UKJ1vSTU/v1LmGzXvNL9Y6Ncf4sehP3YL6oaRsTpSuU6YzoarwBbK29kvoAsGOYRv6Xj3viHnIeOCY6VwhklOKsvWD+GGQWp/+KzcLqZXdf6vX1pw51ydx7BZAIYsZ4oO5HPx+C0OX/W7prasTQF+SxpB+l8kw9kHpKuLSE3MN5eruU/U1ZyDN8wwOUnkB9ePec54mFaBjmfD1QEzkF2yYIRzHwr7O5Mz0xHblcofjcNex7IClSGUVtOK3eIwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.824813205.000001A7703A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000003.824839252.000001A770389000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.824813205.000001A7703A0000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z||.||6f0c105d-3db6-47de-894d-fd95973349e2||1152921505694224549||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 0000000C.00000002.841835956.000001A770300000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.815472135.000001A77036C000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815399183.000001A77038E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.815513139.000001A7703DD000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000C.00000003.818284709.000001A77038B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818383957.000001A770802000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818022632.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818039351.000001A7703A2000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.818344967.000001A770372000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF1027 InternetReadFile, 7_2_04EF1027
Source: global traffic HTTP traffic detected: GET /ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ HTTP/1.1Cookie: BbabBTNqIR=qrh4znIW0vRoZUgVJJVgzfQvY9C+RpRussFCR/fGFdtMBlPVybXrZsLF92dUNSOaN7UtApPRkIXlq1+7rNMFKl/GD+kwN0+UKJ1vSTU/v1LmGzXvNL9Y6Ncf4sehP3YL6oaRsTpSuU6YzoarwBbK29kvoAsGOYRv6Xj3viHnIeOCY6VwhklOKsvWD+GGQWp/+KzcLqZXdf6vX1pw51ydx7BZAIYsZ4oO5HPx+C0OX/W7prasTQF+SxpB+l8kw9kHpKuLSE3MN5eruU/U1ZyDN8wwOUnkB9ePec54mFaBjmfD1QEzkF2yYIRzHwr7O5Mz0xHblcofjcNex7IClSGUVtOK3eIwHost: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.4:49775 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.714043179.0000000000BFB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10014B67 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 3_2_10014B67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002C51C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 3_2_1002C51C

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5880000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4910000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.59a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4880000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a90000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5bd0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a90000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5970000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ba0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ba0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4710000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ea0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.41a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.42d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.58b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ed0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5880000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3fc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.41a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5970000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ea0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ac0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712289758.0000000004711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232447127.0000000005810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232307431.0000000005601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1231756136.00000000034D1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232722292.0000000005AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232778778.0000000005BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232026757.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232814811.0000000005BD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232471736.0000000005841000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232588764.0000000005970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712514212.00000000048B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712664698.0000000004911000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712162779.0000000004631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232613063.00000000059A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712727948.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232537029.00000000058B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232513916.0000000005880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232107048.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.714978387.00000000041A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711795712.0000000004040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.710421091.00000000030D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711701070.0000000003FC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712440145.0000000004880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712583531.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232396043.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232361987.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712769808.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711647577.0000000003F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.710385050.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: spZRMihlrkFGqYq1f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Feetevsox\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003F030 3_2_1003F030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003D322 3_2_1003D322
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100104FC 3_2_100104FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003B57C 3_2_1003B57C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004C668 3_2_1004C668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10040E8A 3_2_10040E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E43B3 4_2_030E43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D441E 4_2_030D441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030ECAA8 4_2_030ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D2309 4_2_030D2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D3502 4_2_030D3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D251C 4_2_030D251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EFD10 4_2_030EFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F292B 4_2_030F292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D6B25 4_2_030D6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D5923 4_2_030D5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F0B34 4_2_030F0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EF14D 4_2_030EF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D3345 4_2_030D3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F1343 4_2_030F1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D3F5C 4_2_030D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DC158 4_2_030DC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E056A 4_2_030E056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E1F6B 4_2_030E1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E577E 4_2_030E577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D758F 4_2_030D758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E4D8D 4_2_030E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D4F8E 4_2_030D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D9384 4_2_030D9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030ED99A 4_2_030ED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EB397 4_2_030EB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DFD91 4_2_030DFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F1193 4_2_030F1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E4BAA 4_2_030E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E2FA2 4_2_030E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E9DA1 4_2_030E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EB1B5 4_2_030EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DBFB6 4_2_030DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E7BB2 4_2_030E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D6FC4 4_2_030D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F25C3 4_2_030F25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DA3DF 4_2_030DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D55E8 4_2_030D55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EBFE8 4_2_030EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DC5FE 4_2_030DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F03F1 4_2_030F03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D8C09 4_2_030D8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D1A0A 4_2_030D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D220A 4_2_030D220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D4C00 4_2_030D4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DE21C 4_2_030DE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DF41F 4_2_030DF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E1C10 4_2_030E1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DEC27 4_2_030DEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E5220 4_2_030E5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DD223 4_2_030DD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D9E22 4_2_030D9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EF83F 4_2_030EF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F1A3C 4_2_030F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DA048 4_2_030DA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D3845 4_2_030D3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D2A46 4_2_030D2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D2043 4_2_030D2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EE441 4_2_030EE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D2654 4_2_030D2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D9A57 4_2_030D9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E406E 4_2_030E406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D1C76 4_2_030D1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DCC8D 4_2_030DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E4E8A 4_2_030E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E748A 4_2_030E748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F0687 4_2_030F0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D7283 4_2_030D7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EAC9B 4_2_030EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DAC95 4_2_030DAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D3C91 4_2_030D3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030ED091 4_2_030ED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DDAAE 4_2_030DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E44AA 4_2_030E44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030ED6A7 4_2_030ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E78A5 4_2_030E78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030DFEA0 4_2_030DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E98BD 4_2_030E98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E90BA 4_2_030E90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D5AB2 4_2_030D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EBEC9 4_2_030EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E0ADE 4_2_030E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030ECCD4 4_2_030ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F08D1 4_2_030F08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E7ED1 4_2_030E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EAEEB 4_2_030EAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EECE3 4_2_030EECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EDEF4 4_2_030EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D30F6 4_2_030D30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EA8F0 4_2_030EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D441E 6_2_042D441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042ECAA8 6_2_042ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E43B3 6_2_042E43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DEC27 6_2_042DEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E5220 6_2_042E5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DD223 6_2_042DD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D9E22 6_2_042D9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EF83F 6_2_042EF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F1A3C 6_2_042F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D8C09 6_2_042D8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D1A0A 6_2_042D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D220A 6_2_042D220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D4C00 6_2_042D4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DE21C 6_2_042DE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DF41F 6_2_042DF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E1C10 6_2_042E1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E406E 6_2_042E406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D1C76 6_2_042D1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DA048 6_2_042DA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D3845 6_2_042D3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D2A46 6_2_042D2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D2043 6_2_042D2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EE441 6_2_042EE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D2654 6_2_042D2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D9A57 6_2_042D9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DDAAE 6_2_042DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E44AA 6_2_042E44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042ED6A7 6_2_042ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E78A5 6_2_042E78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DFEA0 6_2_042DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E98BD 6_2_042E98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E90BA 6_2_042E90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D5AB2 6_2_042D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DCC8D 6_2_042DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E4E8A 6_2_042E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E748A 6_2_042E748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F0687 6_2_042F0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D7283 6_2_042D7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EAC9B 6_2_042EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DAC95 6_2_042DAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D3C91 6_2_042D3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042ED091 6_2_042ED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EAEEB 6_2_042EAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EECE3 6_2_042EECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EDEF4 6_2_042EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D30F6 6_2_042D30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EA8F0 6_2_042EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EBEC9 6_2_042EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E0ADE 6_2_042E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042ECCD4 6_2_042ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F08D1 6_2_042F08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E7ED1 6_2_042E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F292B 6_2_042F292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D6B25 6_2_042D6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D5923 6_2_042D5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F0B34 6_2_042F0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D2309 6_2_042D2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D3502 6_2_042D3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D251C 6_2_042D251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EFD10 6_2_042EFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E056A 6_2_042E056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E1F6B 6_2_042E1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E577E 6_2_042E577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EF14D 6_2_042EF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D3345 6_2_042D3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F1343 6_2_042F1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D3F5C 6_2_042D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DC158 6_2_042DC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E4BAA 6_2_042E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E2FA2 6_2_042E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E9DA1 6_2_042E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EB1B5 6_2_042EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DBFB6 6_2_042DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E7BB2 6_2_042E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D758F 6_2_042D758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042E4D8D 6_2_042E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D4F8E 6_2_042D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D9384 6_2_042D9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042ED99A 6_2_042ED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EB397 6_2_042EB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DFD91 6_2_042DFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F1193 6_2_042F1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D55E8 6_2_042D55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EBFE8 6_2_042EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DC5FE 6_2_042DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F03F1 6_2_042F03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D6FC4 6_2_042D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042F25C3 6_2_042F25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042DA3DF 6_2_042DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEECE3 7_2_04EEECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEDEF4 7_2_04EEDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED30F6 7_2_04ED30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF08D1 7_2_04EF08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE7ED1 7_2_04EE7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE44AA 7_2_04EE44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE78A5 7_2_04EE78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED5AB2 7_2_04ED5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE748A 7_2_04EE748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDAC95 7_2_04EDAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED3845 7_2_04ED3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED2043 7_2_04ED2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDEC27 7_2_04EDEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE5220 7_2_04EE5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEF83F 7_2_04EEF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED220A 7_2_04ED220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED441E 7_2_04ED441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED55E8 7_2_04ED55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDC5FE 7_2_04EDC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED6FC4 7_2_04ED6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE4BAA 7_2_04EE4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE2FA2 7_2_04EE2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDBFB6 7_2_04EDBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED758F 7_2_04ED758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED9384 7_2_04ED9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF0B34 7_2_04EF0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEAEEB 7_2_04EEAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEA8F0 7_2_04EEA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEBEC9 7_2_04EEBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE0ADE 7_2_04EE0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EECCD4 7_2_04EECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDDAAE 7_2_04EDDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EECAA8 7_2_04EECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EED6A7 7_2_04EED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDFEA0 7_2_04EDFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE98BD 7_2_04EE98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE90BA 7_2_04EE90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDCC8D 7_2_04EDCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE4E8A 7_2_04EE4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF0687 7_2_04EF0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED7283 7_2_04ED7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEAC9B 7_2_04EEAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED3C91 7_2_04ED3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EED091 7_2_04EED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE406E 7_2_04EE406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED1C76 7_2_04ED1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDA048 7_2_04EDA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED2A46 7_2_04ED2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEE441 7_2_04EEE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED2654 7_2_04ED2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED9A57 7_2_04ED9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDD223 7_2_04EDD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED9E22 7_2_04ED9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF1A3C 7_2_04EF1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED8C09 7_2_04ED8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED1A0A 7_2_04ED1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED4C00 7_2_04ED4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDE21C 7_2_04EDE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDF41F 7_2_04EDF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE1C10 7_2_04EE1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEBFE8 7_2_04EEBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF03F1 7_2_04EF03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF25C3 7_2_04EF25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDA3DF 7_2_04EDA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE9DA1 7_2_04EE9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEB1B5 7_2_04EEB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE7BB2 7_2_04EE7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE43B3 7_2_04EE43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE4D8D 7_2_04EE4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED4F8E 7_2_04ED4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EED99A 7_2_04EED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEB397 7_2_04EEB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDFD91 7_2_04EDFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF1193 7_2_04EF1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE056A 7_2_04EE056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE1F6B 7_2_04EE1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE577E 7_2_04EE577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEF14D 7_2_04EEF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED3345 7_2_04ED3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF1343 7_2_04EF1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED3F5C 7_2_04ED3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EDC158 7_2_04EDC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EF292B 7_2_04EF292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED6B25 7_2_04ED6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED5923 7_2_04ED5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED2309 7_2_04ED2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED3502 7_2_04ED3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED251C 7_2_04ED251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEFD10 7_2_04EEFD10
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003F350 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003EE82 appears 50 times
Source: spZRMihlrkFGqYq1f.dll Metadefender: Detection: 42%
Source: spZRMihlrkFGqYq1f.dll ReversingLabs: Detection: 56%
Source: spZRMihlrkFGqYq1f.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis",ayowadvg Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Feetevsox\qeijjyafbaho.gis",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@17/0@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A742 _memset,GetDiskFreeSpaceA,GetLastError, 3_2_1003A742
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE1B54 CreateToolhelp32Snapshot, 7_2_04EE1B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000A0F4 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 3_2_1000A0F4
Source: rundll32.exe, 00000004.00000002.710493956.0000000003151000.00000004.00000020.sdmp Binary or memory string: penSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBPA
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_CURSOR
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_BITMAP
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_ICON
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_MENU
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_DIALOG
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_STRING
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_ACCELERATOR
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_GROUP_ICON
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003F395 push ecx; ret 3_2_1003F3A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003EF21 push ecx; ret 3_2_1003EF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030D1229 push eax; retf 4_2_030D129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042D1229 push eax; retf 6_2_042D129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04ED1229 push eax; retf 7_2_04ED129A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004BC7A
PE file contains an invalid checksum
Source: spZRMihlrkFGqYq1f.dll Static PE information: real checksum: 0xb4236 should be: 0xbc245

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Feetevsox\qeijjyafbaho.gis:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000BD3C IsIconic,GetWindowPlacement,GetWindowRect, 3_2_1000BD3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022F30 GetParent,GetParent,IsIconic,GetParent, 3_2_10022F30
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4244 Thread sleep time: -180000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 2.2 %
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003A2F3 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 3_2_1003A2F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002592C lstrlenA,FindFirstFileA,FindClose, 3_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_1002F3E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EE1A80 FindFirstFileW, 7_2_04EE1A80
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000C.00000002.841567859.000001A76FC8A000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.841663587.000001A76FCEC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10041482
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 3_2_1004BC7A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 3_2_1003D032
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EDE10 mov eax, dword ptr fs:[00000030h] 4_2_030EDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_042EDE10 mov eax, dword ptr fs:[00000030h] 6_2_042EDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_04EEDE10 mov eax, dword ptr fs:[00000030h] 7_2_04EEDE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1004A43B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1004A43B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10041482
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10039F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10039F21

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000007.00000002.1231869859.00000000039C0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 3_2_100472AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_10026ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10047C26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_10046C52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea, 3_2_1004E4F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 3_2_100474FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA, 3_2_1004A54C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1004D563
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat, 3_2_1004E631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 3_2_1004E66C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_1004E7A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 3_2_100477C3
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10048EDF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 3_2_10048EDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10045F08 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 3_2_10045F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 3_2_1003D032

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5880000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4910000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.59a0000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4880000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4880000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a90000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5bd0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.34d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5a90000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5970000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ba0000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ba0000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4710000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4f80000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ea0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a40000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.41a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.46e0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.42d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.58b0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ed0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4a70000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4040000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4040000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5880000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.4630000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3fc0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.41a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.56b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48e0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5810000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5810000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5840000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5970000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48b0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.48e0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4ea0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5600000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.30d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4f80000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5ac0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1231555705.0000000003380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.715083656.00000000042D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232688117.0000000005A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232050333.0000000004ED1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712245563.00000000046E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712289758.0000000004711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232447127.0000000005810000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232307431.0000000005601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1231756136.00000000034D1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232722292.0000000005AC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232778778.0000000005BA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232026757.0000000004EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232814811.0000000005BD1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232471736.0000000005841000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232588764.0000000005970000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712514212.00000000048B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712664698.0000000004911000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712162779.0000000004631000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232613063.00000000059A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712727948.0000000004A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232537029.00000000058B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232513916.0000000005880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232107048.0000000004F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.714978387.00000000041A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711795712.0000000004040000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.710421091.00000000030D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711701070.0000000003FC1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712440145.0000000004880000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712583531.00000000048E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232396043.00000000056E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1232361987.00000000056B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.712769808.0000000004A71000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.711647577.0000000003F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.710385050.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000B92A __EH_prolog3_GS,lstrlenW,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 3_2_1000B92A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531996 Sample: spZRMihlrkFGqYq1f.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 96 32 85.214.67.203 STRATOSTRATOAGDE Germany 2->32 34 195.154.146.35 OnlineSASFR France 2->34 36 17 other IPs or domains 2->36 42 Sigma detected: Emotet RunDLL32 Process Creation 2->42 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 3 other signatures 2->48 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        signatures6 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->40 22 rundll32.exe 17->22         started        24 rundll32.exe 20->24         started        process7 process8 26 rundll32.exe 22->26         started        30 rundll32.exe 24->30         started        dnsIp9 38 51.178.61.60, 443, 49775 OVHFR France 26->38 50 System process connects to network (likely due to code injection or exploit) 26->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/ZKzoaCRaSGPOqJVHjhZJzdCfaeZvESlfQfwHxNYMOhGmjZbKSRXfZNvJ true
  • Avira URL Cloud: safe
 unknown