Windows Analysis Report spZRMihlrkFGqYq1f.dll

Overview

General Information

Sample Name: spZRMihlrkFGqYq1f.dll
Analysis ID: 531996
MD5: 9f4fa905fd685d28c4ff28f24ad224a1
SHA1: e186e0869276d3af6465d7c754b22527c7ac2ced
SHA256: 808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Sigma detected: Emotet RunDLL32 Process Creation
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Potential key logger detected (key state polling based)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.2.rundll32.exe.4f40000.11.unpack Malware Configuration Extractor: Emotet {"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
Multi AV Scanner detection for submitted file
Source: spZRMihlrkFGqYq1f.dll Virustotal: Detection: 69% Perma Link
Source: spZRMihlrkFGqYq1f.dll Metadefender: Detection: 42% Perma Link
Source: spZRMihlrkFGqYq1f.dll ReversingLabs: Detection: 56%

Compliance:

barindex
Uses 32bit PE files
Source: spZRMihlrkFGqYq1f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1002592C lstrlenA,FindFirstFileA,FindClose, 2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_1002F3E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E1A80 FindFirstFileW, 7_2_049E1A80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49775 -> 51.178.61.60:443
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 51.178.61.60:443
Source: Malware configuration extractor IPs: 168.197.250.14:80
Source: Malware configuration extractor IPs: 45.79.33.48:8080
Source: Malware configuration extractor IPs: 196.44.98.190:8080
Source: Malware configuration extractor IPs: 177.72.80.14:7080
Source: Malware configuration extractor IPs: 51.210.242.234:8080
Source: Malware configuration extractor IPs: 185.148.169.10:8080
Source: Malware configuration extractor IPs: 142.4.219.173:8080
Source: Malware configuration extractor IPs: 78.47.204.80:443
Source: Malware configuration extractor IPs: 78.46.73.125:443
Source: Malware configuration extractor IPs: 37.44.244.177:8080
Source: Malware configuration extractor IPs: 37.59.209.141:8080
Source: Malware configuration extractor IPs: 191.252.103.16:80
Source: Malware configuration extractor IPs: 54.38.242.185:443
Source: Malware configuration extractor IPs: 85.214.67.203:8080
Source: Malware configuration extractor IPs: 54.37.228.122:443
Source: Malware configuration extractor IPs: 207.148.81.119:8080
Source: Malware configuration extractor IPs: 195.77.239.39:8080
Source: Malware configuration extractor IPs: 66.42.57.149:443
Source: Malware configuration extractor IPs: 195.154.146.35:443
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: EcobandGH EcobandGH
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC HTTP/1.1Cookie: PAQTVlsSYfud=hHS8zfpj4oGmf1BJz19EG4wtDXynDI0rFeTsdmFttAYml0/MBamrj2Ji1+m2lK4MZXHf5PYTXhyurxVEhCtf5E7CksirazP0eBUw+b8GIs8/rWhl4ppyDek9yadBnYnu/OP7jMcO7nFENCnAGjQgt+FpnxDYohm38NGKWJk6N/ZfzNClL0fOql6yiXb5Neq5AZNKM6b8yrT50ZGNxEJw32EAn5oFjwpC2CybO6ZMM4S0eF/K8HS28PVDhodiRcpBkFM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View IP Address: 196.44.98.190 196.44.98.190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: svchost.exe, 0000000C.00000003.406581320.0000022B5CB58000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.406581320.0000022B5CB58000.00000004.00000001.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000C.00000003.401371022.0000022B5CB81000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401428748.0000022B5CBBF000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401402578.0000022B5CBAA000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401388157.0000022B5CB81000.00000004.00000001.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F1027 InternetReadFile, 7_2_049F1027
Source: global traffic HTTP traffic detected: GET /IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC HTTP/1.1Cookie: PAQTVlsSYfud=hHS8zfpj4oGmf1BJz19EG4wtDXynDI0rFeTsdmFttAYml0/MBamrj2Ji1+m2lK4MZXHf5PYTXhyurxVEhCtf5E7CksirazP0eBUw+b8GIs8/rWhl4ppyDek9yadBnYnu/OP7jMcO7nFENCnAGjQgt+FpnxDYohm38NGKWJk6N/ZfzNClL0fOql6yiXb5Neq5AZNKM6b8yrT50ZGNxEJw32EAn5oFjwpC2CybO6ZMM4S0eF/K8HS28PVDhodiRcpBkFM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache
Source: unknown HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10014B67 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent, 2_2_10014B67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1002C51C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 2_2_1002C51C

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5270000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5590000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5210000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5270000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5480000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4de0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5210000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5240000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5590000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5360000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.48a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5480000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.52a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.55c0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4db0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4db0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.48a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54b0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5360000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: spZRMihlrkFGqYq1f.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Thkptzp\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003F030 2_2_1003F030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003D322 2_2_1003D322
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_100104FC 2_2_100104FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003B57C 2_2_1003B57C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004C668 2_2_1004C668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10040E8A 2_2_10040E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7CAA8 3_2_02D7CAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6441E 3_2_02D6441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D743B3 3_2_02D743B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7CCD4 3_2_02D7CCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D77ED1 3_2_02D77ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D70ADE 3_2_02D70ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D808D1 3_2_02D808D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7BEC9 3_2_02D7BEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D630F6 3_2_02D630F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7DEF4 3_2_02D7DEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7ECE3 3_2_02D7ECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7AEEB 3_2_02D7AEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6AC95 3_2_02D6AC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7D091 3_2_02D7D091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D63C91 3_2_02D63C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7AC9B 3_2_02D7AC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D67283 3_2_02D67283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6CC8D 3_2_02D6CC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D74E8A 3_2_02D74E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7748A 3_2_02D7748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D80687 3_2_02D80687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D65AB2 3_2_02D65AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D798BD 3_2_02D798BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D790BA 3_2_02D790BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7D6A7 3_2_02D7D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D778A5 3_2_02D778A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6FEA0 3_2_02D6FEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D744AA 3_2_02D744AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D69A57 3_2_02D69A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D62654 3_2_02D62654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D62A46 3_2_02D62A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D63845 3_2_02D63845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D62043 3_2_02D62043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7E441 3_2_02D7E441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6A048 3_2_02D6A048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D61C76 3_2_02D61C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7406E 3_2_02D7406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D71C10 3_2_02D71C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6F41F 3_2_02D6F41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6E21C 3_2_02D6E21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D64C00 3_2_02D64C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D61A0A 3_2_02D61A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6220A 3_2_02D6220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D68C09 3_2_02D68C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D81A3C 3_2_02D81A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7F83F 3_2_02D7F83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6EC27 3_2_02D6EC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D69E22 3_2_02D69E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6D223 3_2_02D6D223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D75220 3_2_02D75220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6A3DF 3_2_02D6A3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D66FC4 3_2_02D66FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D825C3 3_2_02D825C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6C5FE 3_2_02D6C5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D803F1 3_2_02D803F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7BFE8 3_2_02D7BFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7B397 3_2_02D7B397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6FD91 3_2_02D6FD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D81193 3_2_02D81193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7D99A 3_2_02D7D99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D69384 3_2_02D69384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D64F8E 3_2_02D64F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6758F 3_2_02D6758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D74D8D 3_2_02D74D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6BFB6 3_2_02D6BFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7B1B5 3_2_02D7B1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D77BB2 3_2_02D77BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D72FA2 3_2_02D72FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D79DA1 3_2_02D79DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D74BAA 3_2_02D74BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D63F5C 3_2_02D63F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6C158 3_2_02D6C158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D63345 3_2_02D63345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7F14D 3_2_02D7F14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D81343 3_2_02D81343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7577E 3_2_02D7577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D71F6B 3_2_02D71F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7056A 3_2_02D7056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7FD10 3_2_02D7FD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D6251C 3_2_02D6251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D63502 3_2_02D63502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D62309 3_2_02D62309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D80B34 3_2_02D80B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D8292B 3_2_02D8292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D66B25 3_2_02D66B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D65923 3_2_02D65923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A441E 6_2_044A441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BCAA8 6_2_044BCAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B43B3 6_2_044B43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AA048 6_2_044AA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2043 6_2_044A2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BE441 6_2_044BE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2A46 6_2_044A2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3845 6_2_044A3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9A57 6_2_044A9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2654 6_2_044A2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B406E 6_2_044B406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A1C76 6_2_044A1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A1A0A 6_2_044A1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A220A 6_2_044A220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A8C09 6_2_044A8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A4C00 6_2_044A4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AF41F 6_2_044AF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AE21C 6_2_044AE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B1C10 6_2_044B1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9E22 6_2_044A9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AD223 6_2_044AD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B5220 6_2_044B5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AEC27 6_2_044AEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C1A3C 6_2_044C1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BF83F 6_2_044BF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BBEC9 6_2_044BBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B0ADE 6_2_044B0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B7ED1 6_2_044B7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C08D1 6_2_044C08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BCCD4 6_2_044BCCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BAEEB 6_2_044BAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BECE3 6_2_044BECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A30F6 6_2_044A30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BDEF4 6_2_044BDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B4E8A 6_2_044B4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B748A 6_2_044B748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ACC8D 6_2_044ACC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A7283 6_2_044A7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C0687 6_2_044C0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BAC9B 6_2_044BAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BD091 6_2_044BD091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3C91 6_2_044A3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AAC95 6_2_044AAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B44AA 6_2_044B44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AFEA0 6_2_044AFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BD6A7 6_2_044BD6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B78A5 6_2_044B78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B90BA 6_2_044B90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B98BD 6_2_044B98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A5AB2 6_2_044A5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BF14D 6_2_044BF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3345 6_2_044A3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C1343 6_2_044C1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AC158 6_2_044AC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3F5C 6_2_044A3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B1F6B 6_2_044B1F6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B056A 6_2_044B056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B577E 6_2_044B577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A2309 6_2_044A2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A3502 6_2_044A3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A251C 6_2_044A251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BFD10 6_2_044BFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C292B 6_2_044C292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A5923 6_2_044A5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A6B25 6_2_044A6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C0B34 6_2_044C0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A6FC4 6_2_044A6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C25C3 6_2_044C25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AA3DF 6_2_044AA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BBFE8 6_2_044BBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AC5FE 6_2_044AC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C03F1 6_2_044C03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A4F8E 6_2_044A4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A758F 6_2_044A758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B4D8D 6_2_044B4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A9384 6_2_044A9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BD99A 6_2_044BD99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044AFD91 6_2_044AFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BB397 6_2_044BB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044C1193 6_2_044C1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B4BAA 6_2_044B4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B2FA2 6_2_044B2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B9DA1 6_2_044B9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044B7BB2 6_2_044B7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044ABFB6 6_2_044ABFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BB1B5 6_2_044BB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DAC95 7_2_049DAC95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E748A 7_2_049E748A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D5AB2 7_2_049D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E44AA 7_2_049E44AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E78A5 7_2_049E78A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F08D1 7_2_049F08D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E7ED1 7_2_049E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EDEF4 7_2_049EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D30F6 7_2_049D30F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EECE3 7_2_049EECE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D441E 7_2_049D441E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D220A 7_2_049D220A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EF83F 7_2_049EF83F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DEC27 7_2_049DEC27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E5220 7_2_049E5220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D3845 7_2_049D3845
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D2043 7_2_049D2043
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D758F 7_2_049D758F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D9384 7_2_049D9384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DBFB6 7_2_049DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E4BAA 7_2_049E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E2FA2 7_2_049E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D6FC4 7_2_049D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DC5FE 7_2_049DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D55E8 7_2_049D55E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F0B34 7_2_049F0B34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EAC9B 7_2_049EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D3C91 7_2_049D3C91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049ED091 7_2_049ED091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DCC8D 7_2_049DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E4E8A 7_2_049E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F0687 7_2_049F0687
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D7283 7_2_049D7283
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E98BD 7_2_049E98BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E90BA 7_2_049E90BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DDAAE 7_2_049DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049ECAA8 7_2_049ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049ED6A7 7_2_049ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DFEA0 7_2_049DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E0ADE 7_2_049E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049ECCD4 7_2_049ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EBEC9 7_2_049EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EA8F0 7_2_049EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EAEEB 7_2_049EAEEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DE21C 7_2_049DE21C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DF41F 7_2_049DF41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E1C10 7_2_049E1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D8C09 7_2_049D8C09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D1A0A 7_2_049D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D4C00 7_2_049D4C00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F1A3C 7_2_049F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DD223 7_2_049DD223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D9E22 7_2_049D9E22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D2654 7_2_049D2654
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D9A57 7_2_049D9A57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DA048 7_2_049DA048
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D2A46 7_2_049D2A46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EE441 7_2_049EE441
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D1C76 7_2_049D1C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E406E 7_2_049E406E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049ED99A 7_2_049ED99A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EB397 7_2_049EB397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DFD91 7_2_049DFD91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F1193 7_2_049F1193
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E4D8D 7_2_049E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D4F8E 7_2_049D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EB1B5 7_2_049EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E7BB2 7_2_049E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E43B3 7_2_049E43B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E9DA1 7_2_049E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DA3DF 7_2_049DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F25C3 7_2_049F25C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F03F1 7_2_049F03F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EBFE8 7_2_049EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D251C 7_2_049D251C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EFD10 7_2_049EFD10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D2309 7_2_049D2309
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D3502 7_2_049D3502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F292B 7_2_049F292B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D6B25 7_2_049D6B25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D5923 7_2_049D5923
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D3F5C 7_2_049D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049DC158 7_2_049DC158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EF14D 7_2_049EF14D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D3345 7_2_049D3345
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049F1343 7_2_049F1343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E577E 7_2_049E577E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E056A 7_2_049E056A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E1F6B 7_2_049E1F6B
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003F350 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1003EE82 appears 50 times
Source: spZRMihlrkFGqYq1f.dll Virustotal: Detection: 69%
Source: spZRMihlrkFGqYq1f.dll Metadefender: Detection: 42%
Source: spZRMihlrkFGqYq1f.dll ReversingLabs: Detection: 56%
Source: spZRMihlrkFGqYq1f.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winDLL@17/0@0/20
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003A742 _memset,GetDiskFreeSpaceA,GetLastError, 2_2_1003A742
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E1B54 CreateToolhelp32Snapshot, 7_2_049E1B54
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000A0F4 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource, 2_2_1000A0F4
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_CURSOR
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_BITMAP
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_ICON
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_MENU
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_DIALOG
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_STRING
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_ACCELERATOR
Source: spZRMihlrkFGqYq1f.dll Static PE information: section name: RT_GROUP_ICON
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: spZRMihlrkFGqYq1f.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003F395 push ecx; ret 2_2_1003F3A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003EF21 push ecx; ret 2_2_1003EF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D61229 push eax; retf 3_2_02D6129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044A1229 push eax; retf 6_2_044A129A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049D1229 push eax; retf 7_2_049D129A
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1004BC7A
PE file contains an invalid checksum
Source: spZRMihlrkFGqYq1f.dll Static PE information: real checksum: 0xb4236 should be: 0xbc245

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000BD3C IsIconic,GetWindowPlacement,GetWindowRect, 2_2_1000BD3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10022F30 GetParent,GetParent,IsIconic,GetParent, 2_2_10022F30
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 4456 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 2.2 %
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003A2F3 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect, 2_2_1003A2F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1002592C lstrlenA,FindFirstFileA,FindClose, 2_2_1002592C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_1002F3E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049E1A80 FindFirstFileW, 7_2_049E1A80
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000C.00000002.422970473.0000022B5C2F7000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000C.00000003.422114124.0000022B5C279000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.422851289.0000022B5C279000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10041482
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1004BC7A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_1003D032
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02D7DE10 mov eax, dword ptr fs:[00000030h] 3_2_02D7DE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_044BDE10 mov eax, dword ptr fs:[00000030h] 6_2_044BDE10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_049EDE10 mov eax, dword ptr fs:[00000030h] 7_2_049EDE10
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1004A43B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1004A43B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10041482
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10039F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10039F21

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 51.178.61.60 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 Jump to behavior
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_10026ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 2_2_1004D563
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10048EDF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_10048EDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_10045F08 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 2_2_10045F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_1003D032

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 7.2.rundll32.exe.5270000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5590000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5210000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5270000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5480000.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50e0000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4de0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5210000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2d60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5240000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5590000.16.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5360000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5000000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.48a0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5480000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.50b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.52a0000.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.55c0000.17.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4db0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4db0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.48a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.54b0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.5360000.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.4fd0000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_1000B92A __EH_prolog3_GS,lstrlenW,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree, 2_2_1000B92A
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531996 Sample: spZRMihlrkFGqYq1f.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 96 32 85.214.67.203 STRATOSTRATOAGDE Germany 2->32 34 195.154.146.35 OnlineSASFR France 2->34 36 17 other IPs or domains 2->36 42 Sigma detected: Emotet RunDLL32 Process Creation 2->42 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Found malware configuration 2->46 48 3 other signatures 2->48 9 loaddll32.exe 1 2->9         started        11 svchost.exe 1 2->11         started        13 svchost.exe 1 2->13         started        15 2 other processes 2->15 signatures3 process4 process5 17 rundll32.exe 2 9->17         started        20 cmd.exe 1 9->20         started        signatures6 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->40 22 rundll32.exe 17->22         started        24 rundll32.exe 20->24         started        process7 process8 26 rundll32.exe 22->26         started        30 rundll32.exe 24->30         started        dnsIp9 38 51.178.61.60, 443, 49750 OVHFR France 26->38 50 System process connects to network (likely due to code injection or exploit) 26->50 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.148.81.119
 unknown United States
20473 AS-CHOOPAUS true
196.44.98.190
 unknown Ghana
327814 EcobandGH true
78.46.73.125
 unknown Germany
24940 HETZNER-ASDE true
37.59.209.141
 unknown France
16276 OVHFR true
85.214.67.203
 unknown Germany
6724 STRATOSTRATOAGDE true
191.252.103.16
 unknown Brazil
27715 LocawebServicosdeInternetSABR true
45.79.33.48
 unknown United States
63949 LINODE-APLinodeLLCUS true
54.37.228.122
 unknown France
16276 OVHFR true
185.148.169.10
 unknown Germany
44780 EVERSCALE-ASDE true
142.4.219.173
 unknown Canada
16276 OVHFR true
54.38.242.185
 unknown France
16276 OVHFR true
195.154.146.35
 unknown France
12876 OnlineSASFR true
195.77.239.39
 unknown Spain
60493 FICOSA-ASES true
78.47.204.80
 unknown Germany
24940 HETZNER-ASDE true
168.197.250.14
 unknown Argentina
264776 OmarAnselmoRipollTDCNETAR true
51.178.61.60
 unknown France
16276 OVHFR true
177.72.80.14
 unknown Brazil
262543 NewLifeFibraBR true
66.42.57.149
 unknown United States
20473 AS-CHOOPAUS true
37.44.244.177
 unknown Germany
47583 AS-HOSTINGERLT true
51.210.242.234
 unknown France
16276 OVHFR true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://51.178.61.60/IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC true
  • Avira URL Cloud: safe
 unknown