Play interactive tour

Edit tour

Windows Analysis Report spZRMihlrkFGqYq1f.dll

Overview

General Information

Sample Name:	spZRMihlrkFGqYq1f.dll
Analysis ID:	531996
MD5:	9f4fa905fd685d28c4ff28f24ad224a1
SHA1:	e186e0869276d3af6465d7c754b22527c7ac2ced
SHA256:	808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Sigma detected: Emotet RunDLL32 Process Creation

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Program does not show much activity (idle)

IP address seen in connection with other malware

PE file contains an invalid checksum

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Checks if the current process is being debugged

Potential key logger detected (key state polling based)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6748 cmdline: loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 6740 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5376 cmdline: rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5572 cmdline: rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 4008 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5348 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 5144 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6668 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3928 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 29 entries

Unpacked PEs

Source	Rule	Description	Author
7.2.rundll32.exe.5270000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5590000.16.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.50b0000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4d50000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5390000.13.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ad0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5210000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.44a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.49d0000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4f40000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5270000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.44a0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.2b50000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5480000.14.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2ca0000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.50e0000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4de0000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5210000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2d60000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5240000.9.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5590000.16.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5360000.12.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4f10000.10.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4470000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5000000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.48a0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5480000.14.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.50b0000.6.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.52a0000.11.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4d80000.7.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4470000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4fd0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
6.2.rundll32.exe.2b50000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.55c0000.17.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4db0000.8.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4db0000.8.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4f10000.10.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
3.2.rundll32.exe.2ca0000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2e80000.0.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.48a0000.2.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4ad0000.2.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4b00000.3.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4d50000.6.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2eb0000.1.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.2e80000.0.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4bb0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.54b0000.15.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4be0000.5.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
2.2.rundll32.exe.4bb0000.4.raw.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.5360000.12.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
7.2.rundll32.exe.4fd0000.4.unpack	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security
Click to see the 46 entries

Sigma Overview

System Summary:

Sigma detected: Emotet RunDLL32 Process Creation

Show sources

Source: Process started

Author: FPT.EagleEye: Data: Command: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL, CommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 4008, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL, ProcessId: 5348

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.2.rundll32.exe.4f40000.11.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["51.178.61.60:443", "168.197.250.14:80", "45.79.33.48:8080", "196.44.98.190:8080", "177.72.80.14:7080", "51.210.242.234:8080", "185.148.169.10:8080", "142.4.219.173:8080", "78.47.204.80:443", "78.46.73.125:443", "37.44.244.177:8080", "37.59.209.141:8080", "191.252.103.16:80", "54.38.242.185:443", "85.214.67.203:8080", "54.37.228.122:443", "207.148.81.119:8080", "195.77.239.39:8080", "66.42.57.149:443", "195.154.146.35:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Multi AV Scanner detection for submitted file

Show sources

Source: spZRMihlrkFGqYq1f.dll	Virustotal: Detection: 69%	Perma Link
Source: spZRMihlrkFGqYq1f.dll	Metadefender: Detection: 42%	Perma Link
Source: spZRMihlrkFGqYq1f.dll	ReversingLabs: Detection: 56%

Source: spZRMihlrkFGqYq1f.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49750 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002592C lstrlenA,FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E1A80 FindFirstFileW,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2404336 ET CNC Feodo Tracker Reported CnC Server TCP group 19 192.168.2.4:49775 -> 51.178.61.60:443

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 51.178.61.60:443
Source: Malware configuration extractor	IPs: 168.197.250.14:80
Source: Malware configuration extractor	IPs: 45.79.33.48:8080
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 177.72.80.14:7080
Source: Malware configuration extractor	IPs: 51.210.242.234:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 142.4.219.173:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 78.46.73.125:443
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 37.59.209.141:8080
Source: Malware configuration extractor	IPs: 191.252.103.16:80
Source: Malware configuration extractor	IPs: 54.38.242.185:443
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 207.148.81.119:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 66.42.57.149:443
Source: Malware configuration extractor	IPs: 195.154.146.35:443

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View

JA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8

Source: global traffic

HTTP traffic detected: GET /IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC HTTP/1.1Cookie: PAQTVlsSYfud=hHS8zfpj4oGmf1BJz19EG4wtDXynDI0rFeTsdmFttAYml0/MBamrj2Ji1+m2lK4MZXHf5PYTXhyurxVEhCtf5E7CksirazP0eBUw+b8GIs8/rWhl4ppyDek9yadBnYnu/OP7jMcO7nFENCnAGjQgt+FpnxDYohm38NGKWJk6N/ZfzNClL0fOql6yiXb5Neq5AZNKM6b8yrT50ZGNxEJw32EAn5oFjwpC2CybO6ZMM4S0eF/K8HS28PVDhodiRcpBkFM=Host: 51.178.61.60Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 207.148.81.119 207.148.81.119
Source: Joe Sandbox View	IP Address: 196.44.98.190 196.44.98.190

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60
Source: unknown	TCP traffic detected without corresponding DNS query: 51.178.61.60

Source: svchost.exe, 0000000C.00000003.406581320.0000022B5CB58000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000C.00000003.406581320.0000022B5CB58000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)

Source: svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000C.00000003.401371022.0000022B5CB81000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401428748.0000022B5CBBF000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401402578.0000022B5CBAA000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401388157.0000022B5CB81000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_049F1027 InternetReadFile,

Source: global traffic

Source: unknown

HTTPS traffic detected: 51.178.61.60:443 -> 192.168.2.3:49750 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10014B67 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002C51C ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.5270000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5590000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5210000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5270000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5480000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4de0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5210000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5240000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5590000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5360000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.48a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5480000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.52a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4fd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.55c0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4db0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4db0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.48a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.54b0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5360000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4fd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Source: spZRMihlrkFGqYq1f.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Thkptzp\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003F030
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003D322
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100104FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003B57C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1004C668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10040E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7CAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D743B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7CCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D77ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D70ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D808D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7BEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D630F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7DEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7ECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7AEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6AC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7D091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D63C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7AC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D67283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6CC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D74E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D80687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D65AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D798BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D790BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7D6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D778A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6FEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D744AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D69A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D62654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D62A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D63845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D62043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7E441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6A048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D61C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D71C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6F41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6E21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D64C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D61A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D68C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D81A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7F83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6EC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D69E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6D223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D75220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6A3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D66FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D825C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6C5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D803F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7BFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7B397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6FD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D81193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7D99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D69384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D64F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D74D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6BFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7B1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D77BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D72FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D79DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D74BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D63F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6C158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D63345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7F14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D81343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D71F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7FD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D6251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D63502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D62309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D80B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D8292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D66B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D65923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BCAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BCCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044ACC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BD091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BD6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B1F6B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BD99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044AFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044C1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044B7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044ABFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DAC95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E748A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D5AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E44AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E78A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F08D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E7ED1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EDEF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D30F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EECE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D441E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D220A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EF83F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DEC27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E5220
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D3845
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D2043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D758F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D9384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DBFB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E4BAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E2FA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D6FC4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DC5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D55E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F0B34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EAC9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D3C91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049ED091
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DCC8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E4E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F0687
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D7283
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E98BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E90BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DDAAE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049ECAA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049ED6A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DFEA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E0ADE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049ECCD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EBEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EA8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EAEEB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DE21C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DF41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E1C10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D8C09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D1A0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D4C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F1A3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DD223
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D9E22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D2654
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D9A57
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DA048
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D2A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EE441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D1C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E406E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049ED99A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EB397
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DFD91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F1193
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E4D8D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D4F8E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EB1B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E7BB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E43B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E9DA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DA3DF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F25C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F03F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EBFE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D251C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EFD10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D2309
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D3502
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F292B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D6B25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D5923
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D3F5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049DC158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EF14D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D3345
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049F1343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E577E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E056A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E1F6B

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1003F350 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1003EE82 appears 50 times

Source: spZRMihlrkFGqYq1f.dll	Virustotal: Detection: 69%
Source: spZRMihlrkFGqYq1f.dll	Metadefender: Detection: 42%
Source: spZRMihlrkFGqYq1f.dll	ReversingLabs: Detection: 56%

Source: spZRMihlrkFGqYq1f.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: classification engine

Classification label: mal96.troj.evad.winDLL@17/0@0/20

Source: C:\Windows\SysWOW64\rundll32.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1003A742 _memset,GetDiskFreeSpaceA,GetLastError,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_049E1B54 CreateToolhelp32Snapshot,

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1000A0F4 __EH_prolog3_catch,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_CURSOR
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_BITMAP
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_ICON
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_MENU
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_DIALOG
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_STRING
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_ACCELERATOR
Source: spZRMihlrkFGqYq1f.dll	Static PE information: section name: RT_GROUP_ICON

Source: spZRMihlrkFGqYq1f.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: spZRMihlrkFGqYq1f.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: spZRMihlrkFGqYq1f.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: spZRMihlrkFGqYq1f.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: spZRMihlrkFGqYq1f.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003F395 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1003EF21 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D61229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044A1229 push eax; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049D1229 push eax; retf

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1004BC7A LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,

Source: spZRMihlrkFGqYq1f.dll

Static PE information: real checksum: 0xb4236 should be: 0xbc245

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn:Zone.Identifier read attributes | delete

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000BD3C IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10022F30 GetParent,GetParent,IsIconic,GetParent,

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 4456

Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\loaddll32.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 2.2 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1003A2F3 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002592C lstrlenA,FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1002F3E9 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049E1A80 FindFirstFileW,

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Source: svchost.exe, 0000000C.00000002.422970473.0000022B5C2F7000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 0000000C.00000003.422114124.0000022B5C279000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.422851289.0000022B5C279000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1003D032 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd,

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_02D7DE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_044BDE10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_049EDE10 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1004A43B __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10041482 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10039F21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 51.178.61.60 187

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1

Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000007.00000002.687008639.0000000003330000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10048EDF GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10045F08 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

Source: C:\Windows\SysWOW64\rundll32.exe

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 7.2.rundll32.exe.5270000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5590000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d50000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5390000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ad0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5210000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.49d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f40000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5270000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.44a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5480000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ca0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50e0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4de0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5210000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2d60000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5240000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5590000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5360000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f10000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.48a0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5480000.14.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.50b0000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.52a0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d80000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4470000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4fd0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.55c0000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4db0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4db0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4f10000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.48a0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4ad0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4b00000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4d50000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.2e80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bb0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.54b0000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4be0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.4bb0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.5360000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.4fd0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_1000B92A __EH_prolog3_GS,lstrlenW,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API2	Path Interception	Process Injection112	Masquerading2	Input Capture1	System Time Discovery2	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery31	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	Application Window Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	File and Directory Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	System Information Discovery27	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
spZRMihlrkFGqYq1f.dll	70%	Virustotal		Browse
spZRMihlrkFGqYq1f.dll	43%	Metadefender		Browse
spZRMihlrkFGqYq1f.dll	57%	ReversingLabs	Win32.Trojan.Mansabo

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.rundll32.exe.4f40000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.44a0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
6.2.rundll32.exe.44a0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.49d0000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.2d60000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4de0000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.50e0000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.5390000.13.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.5240000.9.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.5000000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.52a0000.11.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4d80000.7.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.55c0000.17.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4b00000.3.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
2.2.rundll32.exe.4be0000.5.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.2eb0000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.54b0000.15.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://51.178.61.60/IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://51.178.61.60/IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://crl.ver)	svchost.exe, 0000000C.00000002.422958863.0000022B5C2E8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.disneyplus.com/legal/privacy-policy	svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.tiktok.com/legal/report/feedback	svchost.exe, 0000000C.00000003.401371022.0000022B5CB81000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401428748.0000022B5CBBF000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401402578.0000022B5CBAA000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.401388157.0000022B5CB81000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://help.disneyplus.com.	svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://disneyplus.com/legal.	svchost.exe, 0000000C.00000003.400398200.0000022B5CB81000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
207.148.81.119	unknown	United States	20473	AS-CHOOPAUS	true
196.44.98.190	unknown	Ghana	327814	EcobandGH	true
78.46.73.125	unknown	Germany	24940	HETZNER-ASDE	true
37.59.209.141	unknown	France	16276	OVHFR	true
85.214.67.203	unknown	Germany	6724	STRATOSTRATOAGDE	true
191.252.103.16	unknown	Brazil	27715	LocawebServicosdeInternetSABR	true
45.79.33.48	unknown	United States	63949	LINODE-APLinodeLLCUS	true
54.37.228.122	unknown	France	16276	OVHFR	true
185.148.169.10	unknown	Germany	44780	EVERSCALE-ASDE	true
142.4.219.173	unknown	Canada	16276	OVHFR	true
54.38.242.185	unknown	France	16276	OVHFR	true
195.154.146.35	unknown	France	12876	OnlineSASFR	true
195.77.239.39	unknown	Spain	60493	FICOSA-ASES	true
78.47.204.80	unknown	Germany	24940	HETZNER-ASDE	true
168.197.250.14	unknown	Argentina	264776	OmarAnselmoRipollTDCNETAR	true
51.178.61.60	unknown	France	16276	OVHFR	true
177.72.80.14	unknown	Brazil	262543	NewLifeFibraBR	true
66.42.57.149	unknown	United States	20473	AS-CHOOPAUS	true
37.44.244.177	unknown	Germany	47583	AS-HOSTINGERLT	true
51.210.242.234	unknown	France	16276	OVHFR	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	531996
Start date:	01.12.2021
Start time:	16:24:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	spZRMihlrkFGqYq1f.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winDLL@17/0@0/20
EGA Information:	Successful, ratio: 80%
HDC Information:	Successful, ratio: 99.3% (good quality ratio 90.9%) Quality average: 75.3% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.54.110.249 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
207.148.81.119	gvtdsqavfej.dll	Get hash	malicious	Browse
	mhOX6jll6x.dll	Get hash	malicious	Browse
	dguQYT8p8j.dll	Get hash	malicious	Browse
	jSxIzXfwc7.dll	Get hash	malicious	Browse
	mhOX6jll6x.dll	Get hash	malicious	Browse
	X2XCewI2Yy.dll	Get hash	malicious	Browse
	dguQYT8p8j.dll	Get hash	malicious	Browse
	HMvjzUYq2h.dll	Get hash	malicious	Browse
	s9BZBDWmi4.dll	Get hash	malicious	Browse
	bFx5bZRC6P.dll	Get hash	malicious	Browse
	c7IUEh66u6.dll	Get hash	malicious	Browse
	HMvjzUYq2h.dll	Get hash	malicious	Browse
	s9BZBDWmi4.dll	Get hash	malicious	Browse
	bFx5bZRC6P.dll	Get hash	malicious	Browse
	WfCt2B042X.dll	Get hash	malicious	Browse
	ZKVYER7XcT.dll	Get hash	malicious	Browse
	2cq85E4EeM.dll	Get hash	malicious	Browse
	WfCt2B042X.dll	Get hash	malicious	Browse
	ZKVYER7XcT.dll	Get hash	malicious	Browse
196.44.98.190	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse
	gvtdsqavfej.dll	Get hash	malicious	Browse
	mhOX6jll6x.dll	Get hash	malicious	Browse
	dguQYT8p8j.dll	Get hash	malicious	Browse
	jSxIzXfwc7.dll	Get hash	malicious	Browse
	mhOX6jll6x.dll	Get hash	malicious	Browse
	X2XCewI2Yy.dll	Get hash	malicious	Browse
	dguQYT8p8j.dll	Get hash	malicious	Browse
	HMvjzUYq2h.dll	Get hash	malicious	Browse
	s9BZBDWmi4.dll	Get hash	malicious	Browse
	bFx5bZRC6P.dll	Get hash	malicious	Browse
	c7IUEh66u6.dll	Get hash	malicious	Browse
	HMvjzUYq2h.dll	Get hash	malicious	Browse
	s9BZBDWmi4.dll	Get hash	malicious	Browse
	bFx5bZRC6P.dll	Get hash	malicious	Browse
	WfCt2B042X.dll	Get hash	malicious	Browse
	ZKVYER7XcT.dll	Get hash	malicious	Browse
	2cq85E4EeM.dll	Get hash	malicious	Browse
	WfCt2B042X.dll	Get hash	malicious	Browse
	ZKVYER7XcT.dll	Get hash	malicious	Browse

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	66.42.57.149
	iU17wh2uUd.exe	Get hash	malicious	Browse	149.28.253.196
	iU17wh2uUd.exe	Get hash	malicious	Browse	149.28.253.196
	Sz4lxTmH7r.exe	Get hash	malicious	Browse	149.28.253.196
	7AF33E5528AB8A8F45EE7B8C4DD24B4014FEAA6E1D310.exe	Get hash	malicious	Browse	149.28.253.196
	RFIlSRQKzj.exe	Get hash	malicious	Browse	45.32.115.235
	setup_x86_x64_install.exe	Get hash	malicious	Browse	149.28.253.196
	991D4DC612FF80AB2506510DBA31531DB995FE3F64318.exe	Get hash	malicious	Browse	149.28.253.196
	MMUc2aeWxZ.exe	Get hash	malicious	Browse	149.28.253.196
	0pvsj0MF1D.exe	Get hash	malicious	Browse	149.28.253.196
	Linux_amd64	Get hash	malicious	Browse	45.32.162.141
	nkXzJnW7AH.exe	Get hash	malicious	Browse	149.28.253.196
	67MPsax8fd.exe	Get hash	malicious	Browse	136.244.117.138
	Linux_x86	Get hash	malicious	Browse	45.77.44.252
	uI6mJo4TJQ.exe	Get hash	malicious	Browse	149.28.253.196
	uI6mJo4TJQ.exe	Get hash	malicious	Browse	149.28.253.196
	M2jG6lMe7Y.exe	Get hash	malicious	Browse	202.182.120.6
	7LPqKhiPCL.exe	Get hash	malicious	Browse	139.180.133.9
	wvYbWkOPqJ.exe	Get hash	malicious	Browse	149.28.253.196
	wvYbWkOPqJ.exe	Get hash	malicious	Browse	149.28.253.196
EcobandGH	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	196.44.98.190
	gvtdsqavfej.dll	Get hash	malicious	Browse	196.44.98.190
	mhOX6jll6x.dll	Get hash	malicious	Browse	196.44.98.190
	dguQYT8p8j.dll	Get hash	malicious	Browse	196.44.98.190
	jSxIzXfwc7.dll	Get hash	malicious	Browse	196.44.98.190
	mhOX6jll6x.dll	Get hash	malicious	Browse	196.44.98.190
	X2XCewI2Yy.dll	Get hash	malicious	Browse	196.44.98.190
	dguQYT8p8j.dll	Get hash	malicious	Browse	196.44.98.190
	HMvjzUYq2h.dll	Get hash	malicious	Browse	196.44.98.190
	s9BZBDWmi4.dll	Get hash	malicious	Browse	196.44.98.190
	bFx5bZRC6P.dll	Get hash	malicious	Browse	196.44.98.190
	c7IUEh66u6.dll	Get hash	malicious	Browse	196.44.98.190
	HMvjzUYq2h.dll	Get hash	malicious	Browse	196.44.98.190
	s9BZBDWmi4.dll	Get hash	malicious	Browse	196.44.98.190
	bFx5bZRC6P.dll	Get hash	malicious	Browse	196.44.98.190
	WfCt2B042X.dll	Get hash	malicious	Browse	196.44.98.190
	ZKVYER7XcT.dll	Get hash	malicious	Browse	196.44.98.190
	2cq85E4EeM.dll	Get hash	malicious	Browse	196.44.98.190
	WfCt2B042X.dll	Get hash	malicious	Browse	196.44.98.190
	ZKVYER7XcT.dll	Get hash	malicious	Browse	196.44.98.190

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
51c64c77e60f3980eea90869b68c58a8	spZRMihlrkFGqYq1f.dll	Get hash	malicious	Browse	51.178.61.60
	fehiVK2JSx.dll	Get hash	malicious	Browse	51.178.61.60
	kQ9HU0gKVH.exe	Get hash	malicious	Browse	51.178.61.60
	gvtdsqavfej.dll	Get hash	malicious	Browse	51.178.61.60
	mhOX6jll6x.dll	Get hash	malicious	Browse	51.178.61.60
	dguQYT8p8j.dll	Get hash	malicious	Browse	51.178.61.60
	jSxIzXfwc7.dll	Get hash	malicious	Browse	51.178.61.60
	mhOX6jll6x.dll	Get hash	malicious	Browse	51.178.61.60
	X2XCewI2Yy.dll	Get hash	malicious	Browse	51.178.61.60
	dguQYT8p8j.dll	Get hash	malicious	Browse	51.178.61.60
	date1%3fBNLv65=pAAS.dll	Get hash	malicious	Browse	51.178.61.60
	HMvjzUYq2h.dll	Get hash	malicious	Browse	51.178.61.60
	s9BZBDWmi4.dll	Get hash	malicious	Browse	51.178.61.60
	bFx5bZRC6P.dll	Get hash	malicious	Browse	51.178.61.60
	c7IUEh66u6.dll	Get hash	malicious	Browse	51.178.61.60
	HMvjzUYq2h.dll	Get hash	malicious	Browse	51.178.61.60
	s9BZBDWmi4.dll	Get hash	malicious	Browse	51.178.61.60
	bFx5bZRC6P.dll	Get hash	malicious	Browse	51.178.61.60
	WfCt2B042X.dll	Get hash	malicious	Browse	51.178.61.60
	ZKVYER7XcT.dll	Get hash	malicious	Browse	51.178.61.60

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.7859159976425
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 95.51% InstallShield setup (43055/19) 4.10% Generic Win/DOS Executable (2004/3) 0.19% DOS Executable Generic (2002/1) 0.19% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	spZRMihlrkFGqYq1f.dll
File size:	712704
MD5:	9f4fa905fd685d28c4ff28f24ad224a1
SHA1:	e186e0869276d3af6465d7c754b22527c7ac2ced
SHA256:	808e8247efd685bdbae3ea0e55de1e8ed8aecd1359a213b0c6291b73f007fdaf
SHA512:	d8c33eb38fe54e40d463f20b6091c88863f0fadc70382ad826d7c33e61d696af614e9ba8c73f84d4e13fb141289d5bd978451a5565f61e869a054a837fdef5e0
SSDEEP:	12288:WKEUkuAOLka1miSmuYr1V7nAobS3qTHPR101D:TEQLka1nBVDAoS3WvR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y.V.8...8...8..I7...8..I7...8...8...:.......8.......8......48.......8.......8.......8.......8..Rich.8..........PE..L...(..a...

File Icon


Icon Hash:	be71f1aca0b8c0c4

Static PE Info

General
Entrypoint:	0x1003d301
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x61A0C528 [Fri Nov 26 11:29:44 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d8c52655a835ecb2c6fea489c7c7674b

Entrypoint Preview

Instruction
cmp dword ptr [esp+08h], 01h
jne 00007F68D4C0C6E7h
call 00007F68D4C182B7h
push dword ptr [esp+04h]
mov ecx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
call 00007F68D4C0C5D2h
pop ecx
retn 000Ch
push ebp
mov ebp, esp
push esi
push edi
mov edi, dword ptr [ebp+10h]
mov eax, edi
sub eax, 00000000h
je 00007F68D4C0DCCBh
dec eax
je 00007F68D4C0DCB3h
dec eax
je 00007F68D4C0DC7Eh
dec eax
je 00007F68D4C0DC2Fh
dec eax
je 00007F68D4C0DB9Fh
mov ecx, dword ptr [ebp+0Ch]
mov eax, dword ptr [ebp+08h]
push ebx
push 00000020h
pop edx
jmp 00007F68D4C0CB57h
mov esi, dword ptr [eax]
cmp esi, dword ptr [ecx]
je 00007F68D4C0C75Eh
movzx esi, byte ptr [eax]
movzx ebx, byte ptr [ecx]
sub esi, ebx
je 00007F68D4C0C6F7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F68D4C0CB4Fh
movzx esi, byte ptr [eax+01h]
movzx ebx, byte ptr [ecx+01h]
sub esi, ebx
je 00007F68D4C0C6F7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F68D4C0CB2Eh
movzx esi, byte ptr [eax+02h]
movzx ebx, byte ptr [ecx+02h]
sub esi, ebx
je 00007F68D4C0C6F7h
xor ebx, ebx
test esi, esi
setnle bl
lea ebx, dword ptr [ebx+ebx-01h]
mov esi, ebx
test esi, esi
jne 00007F68D4C0CB0Dh
movzx eax, byte ptr [eax]

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x70890	0x4e	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6dec8	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9c000	0x9af8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0x767c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x63558	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x58000	0x7d0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x6de40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x566b7	0x57000	False	0.574984846444	data	6.6363911364	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x58000	0x188de	0x19000	False	0.30236328125	data	4.88012998463	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x71000	0x2a254	0x27000	False	0.931434044471	data	7.84888321435	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x9c000	0x9af8	0xa000	False	0.241723632813	data	3.85640321845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xbd48	0xc000	False	0.347106933594	data	4.87718770475	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x9d780	0x134	data	English	United States
RT_CURSOR	0x9d8b4	0xb4	data	English	United States
RT_CURSOR	0x9d968	0x134	data	English	United States
RT_CURSOR	0x9da9c	0xb4	data	English	United States
RT_CURSOR	0x9db50	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9dc84	0xb4	data	English	United States
RT_CURSOR	0x9dd38	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9de6c	0xb4	data	English	United States
RT_CURSOR	0x9df20	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9e054	0xb4	data	English	United States
RT_CURSOR	0x9e108	0x200	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9e308	0xb4	data	English	United States
RT_CURSOR	0x9e3bc	0x200	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9e5bc	0xb4	data	English	United States
RT_CURSOR	0x9e670	0x200	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9e870	0xb4	data	English	United States
RT_CURSOR	0x9e924	0x200	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9eb24	0xb4	data	English	United States
RT_CURSOR	0x9ebd8	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9ed0c	0xb4	data	English	United States
RT_CURSOR	0x9edc0	0x134	data	English	United States
RT_CURSOR	0x9eef4	0xb4	data	English	United States
RT_CURSOR	0x9efa8	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9f0dc	0x134	data	English	United States
RT_CURSOR	0x9f210	0x134	data	English	United States
RT_CURSOR	0x9f344	0x134	data	English	United States
RT_CURSOR	0x9f478	0x134	data	English	United States
RT_CURSOR	0x9f5ac	0x134	data	English	United States
RT_CURSOR	0x9f6e0	0x134	data	English	United States
RT_CURSOR	0x9f814	0x134	data	English	United States
RT_CURSOR	0x9f948	0x134	data	English	United States
RT_CURSOR	0x9fa7c	0x134	data	English	United States
RT_CURSOR	0x9fbb0	0x134	AmigaOS bitmap font	English	United States
RT_CURSOR	0x9fce4	0x134	data	English	United States
RT_CURSOR	0x9fe18	0x134	data	English	United States
RT_CURSOR	0x9ff4c	0x134	data	English	United States
RT_CURSOR	0xa0080	0x134	data	English	United States
RT_CURSOR	0xa01b4	0xb4	data	English	United States
RT_BITMAP	0xa0268	0x4a0	data	English	United States
RT_BITMAP	0xa0708	0x2c0	data	English	United States
RT_BITMAP	0xa09c8	0xb8	data	English	United States
RT_BITMAP	0xa0a80	0x144	data	English	United States
RT_ICON	0xa0bc4	0x2e8	data	English	United States
RT_ICON	0xa0eac	0x2e8	data	English	United States
RT_MENU	0xa1194	0x15c	data	English	United States
RT_MENU	0xa12f0	0x42e	data	English	United States
RT_MENU	0xa1720	0x25c	data	English	United States
RT_MENU	0xa197c	0x478	data	English	United States
RT_DIALOG	0xa1df4	0x1da	data	English	United States
RT_DIALOG	0xa1fd0	0x3ea	data	English	United States
RT_DIALOG	0xa23bc	0x250	data	English	United States
RT_DIALOG	0xa260c	0xd2	data	English	United States
RT_DIALOG	0xa26e0	0xe8	data	English	United States
RT_DIALOG	0xa27c8	0x1a2	data	English	United States
RT_DIALOG	0xa296c	0x15a	data	English	United States
RT_DIALOG	0xa2ac8	0x34	data	English	United States
RT_STRING	0xa2afc	0x102	data	English	United States
RT_STRING	0xa2c00	0x124	data	English	United States
RT_STRING	0xa2d24	0xd8	data	English	United States
RT_STRING	0xa2dfc	0x7c	data	English	United States
RT_STRING	0xa2e78	0xaa	data	English	United States
RT_STRING	0xa2f24	0x8c	data	English	United States
RT_STRING	0xa2fb0	0xa2	data	English	United States
RT_STRING	0xa3054	0x1d2	data	English	United States
RT_STRING	0xa3228	0xb0	data	English	United States
RT_STRING	0xa32d8	0x23e	data	English	United States
RT_STRING	0xa3518	0x100	data	English	United States
RT_STRING	0xa3618	0x220	data	English	United States
RT_STRING	0xa3838	0x46	data	English	United States
RT_STRING	0xa3880	0x86	data	English	United States
RT_STRING	0xa3908	0x1ac	data	English	United States
RT_STRING	0xa3ab4	0xae	data	English	United States
RT_STRING	0xa3b64	0xca	data	English	United States
RT_STRING	0xa3c30	0x2a	data	English	United States
RT_STRING	0xa3c5c	0x192	data	English	United States
RT_STRING	0xa3df0	0x124	data	English	United States
RT_STRING	0xa3f14	0x5e	data	English	United States
RT_STRING	0xa3f74	0x4a	data	English	United States
RT_STRING	0xa3fc0	0x4e2	data	English	United States
RT_STRING	0xa44a4	0x31a	data	English	United States
RT_STRING	0xa47c0	0x2dc	data	English	United States
RT_STRING	0xa4a9c	0x8a	data	English	United States
RT_STRING	0xa4b28	0x32e	data	English	United States
RT_STRING	0xa4e58	0xde	data	English	United States
RT_STRING	0xa4f38	0x4c4	data	English	United States
RT_STRING	0xa53fc	0x264	data	English	United States
RT_STRING	0xa5660	0x2c	data	English	United States
RT_STRING	0xa568c	0x42	data	English	United States
RT_ACCELERATOR	0xa56d0	0x78	data	English	United States
RT_ACCELERATOR	0xa5748	0x50	data	English	United States
RT_ACCELERATOR	0xa5798	0x18	data	English	United States
RT_GROUP_CURSOR	0xa57b0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa57d4	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa57f8	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa581c	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa5840	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa5864	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa5888	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa58ac	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa58d0	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa58f4	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa5918	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa593c	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States
RT_GROUP_CURSOR	0xa5960	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5974	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5988	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa599c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa59b0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa59c4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa59d8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa59ec	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a00	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a14	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a28	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a3c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a50	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_CURSOR	0xa5a64	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States
RT_GROUP_ICON	0xa5a78	0x14	data	English	United States
RT_GROUP_ICON	0xa5a8c	0x14	data	English	United States
RT_MANIFEST	0xa5aa0	0x56	ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	RaiseException, HeapSize, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapDestroy, HeapCreate, VirtualFree, Sleep, GetStdHandle, GetACP, GetTimeZoneInformation, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, RtlUnwind, GetStringTypeW, SetHandleCount, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, LCMapStringA, LCMapStringW, GetConsoleCP, GetConsoleMode, GetLocaleInfoW, SetStdHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, SetEnvironmentVariableA, GetProcessHeap, GetCommandLineA, GetDateFormatA, GetTimeFormatA, GetSystemTimeAsFileTime, HeapReAlloc, VirtualQuery, GetSystemInfo, VirtualAlloc, VirtualProtect, HeapAlloc, HeapFree, GetCurrentDirectoryA, GetShortPathNameA, GetVolumeInformationA, GetCurrentProcess, DuplicateHandle, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, DeleteFileA, MoveFileA, GetProfileIntA, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, GlobalHandle, GlobalReAlloc, TlsGetValue, GetThreadLocale, GlobalFlags, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, GetCurrentThread, ConvertDefaultLocale, EnumResourceLanguagesA, GetLocaleInfoA, GetFileSize, CreateFileA, CloseHandle, SystemTimeToFileTime, LocalFileTimeToFileTime, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToSystemTime, GetModuleFileNameA, GetDiskFreeSpaceA, GetFullPathNameA, GetTempFileNameA, GetFileTime, SetFileTime, GetFileAttributesA, LocalAlloc, LocalLock, LocalUnlock, GetPrivateProfileStringA, WritePrivateProfileStringA, GetPrivateProfileIntA, lstrcmpA, InterlockedIncrement, GetCurrentProcessId, GetCurrentThreadId, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpW, GetVersionExA, CopyFileA, GlobalSize, GlobalAlloc, FormatMessageA, LocalFree, FreeLibrary, InterlockedDecrement, GlobalFree, FreeResource, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, SetLastError, GetTickCount, MulDiv, lstrcpynA, LoadLibraryA, ExitProcess, GetVersion, CompareStringA, LockResource, lstrcmpiA, GetLastError, InterlockedExchange, GetStringTypeExA, lstrlenW, MultiByteToWideChar, CompareStringW, SizeofResource, WideCharToMultiByte, LoadResource, lstrlenA, FindResourceA, GlobalMemoryStatus, GetStringTypeA
USER32.dll	SetCapture, GetDCEx, FindWindowA, SetWindowRgn, DestroyIcon, LockWindowUpdate, ShowOwnedPopups, PostQuitMessage, LoadCursorA, DestroyCursor, GetTabbedTextExtentA, MessageBeep, IsClipboardFormatAvailable, RedrawWindow, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcA, DefFrameProcA, SetParent, WindowFromDC, InSendMessage, ClipCursor, GetCursorPos, PostThreadMessageA, CreateMenu, CopyAcceleratorTableA, UnpackDDElParam, ReuseDDElParam, LoadMenuA, DestroyMenu, GetWindowThreadProcessId, SetCursor, ReleaseCapture, InsertMenuItemA, CreatePopupMenu, SetMenu, TranslateAcceleratorA, InvalidateRect, SetRectEmpty, ShowWindow, IsDialogMessageA, SetDlgItemTextA, RegisterWindowMessageA, SendDlgItemMessageA, WinHelpA, IsChild, GetCapture, SetWindowsHookExA, CallNextHookEx, GetClassLongA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SetFocus, GetWindowTextLengthA, GetWindowTextA, GetForegroundWindow, GetLastActivePopup, DispatchMessageA, DeleteMenu, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, PeekMessageA, MapWindowPoints, ScrollWindow, TrackPopupMenu, GetKeyState, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, GetMenu, PostMessageA, GetClassInfoExA, GetClassInfoA, RegisterClassA, AdjustWindowRectEx, EqualRect, DeferWindowPos, CopyRect, GetScrollInfo, SetScrollInfo, PtInRect, SetWindowPlacement, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindow, GetMenuStringA, AppendMenuA, GetMenuItemID, InsertMenuA, GetMenuItemCount, GetSubMenu, RemoveMenu, UnhookWindowsHookEx, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamA, IsWindow, GetWindowLongA, EnableWindow, GetSystemMetrics, SetRect, LoadAcceleratorsA, GetDlgItem, IsWindowEnabled, GetNextDlgTabItem, EndDialog, GetSysColor, EndPaint, BeginPaint, GetWindowDC, ClientToScreen, ScreenToClient, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, SetMenuItemBitmaps, WindowFromPoint, GetMenuItemInfoA, UnregisterClassA, GetSysColorBrush, RegisterClipboardFormatA, GetMessageA, TranslateMessage, BeginDeferWindowPos, ValidateRect, GetClientRect, DrawIcon, wsprintfA, CharUpperA, LoadIconA, FillRect, MessageBoxA, IsZoomed, SendMessageA, IsWindowVisible, IsRectEmpty, InflateRect, UpdateWindow, SetWindowTextA, SetWindowPos, ReleaseDC, CreateWindowExA, BringWindowToTop, SetWindowLongA, GetDC, GetParent, GetFocus, KillTimer, GetWindowRect, SetTimer, DestroyWindow, IsIconic, CheckMenuItem, EnableMenuItem, GetMenuState, ModifyMenuA, LoadBitmapA, GetMenuCheckMarkDimensions
GDI32.dll	SetWindowExtEx, ScaleWindowExtEx, GetCurrentPositionEx, DeleteDC, CreatePatternBrush, CreatePen, CreateSolidBrush, CopyMetaFileA, CreateDCA, GetCharWidthA, CreateFontA, StretchDIBits, SetBrushOrgEx, CreateMetaFileA, SetWindowOrgEx, DeleteMetaFile, GetTextExtentPoint32A, DPtoLP, CreateRectRgnIndirect, SetRectRgn, CombineRgn, GetMapMode, PatBlt, GetViewportOrgEx, GetBkColor, UnrealizeObject, GetTextAlign, GetWindowOrgEx, StartPage, EndPage, SetAbortProc, AbortDoc, EndDoc, CreateEllipticRgn, LPtoDP, Ellipse, GetNearestColor, GetBkMode, GetPolyFillMode, GetROP2, GetStretchBltMode, GetTextColor, GetTextFaceA, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, StartDocA, GetPixel, BitBlt, CloseMetaFile, GetStockObject, GetViewportExtEx, CreateRectRgn, SelectClipRgn, DeleteObject, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetStretchBltMode, SetROP2, SetPolyFillMode, SetBkMode, SetBkColor, RestoreDC, SaveDC, CreateBitmap, GetDeviceCaps, CreateFontIndirectA, GetObjectA, GetTextMetricsA, StretchBlt, CreateCompatibleDC, CreateCompatibleBitmap, Rectangle, GetWindowExtEx
comdlg32.dll	GetFileTitleA
WINSPOOL.DRV	GetJobA, DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegQueryValueA, RegEnumKeyA, GetFileSecurityA, SetFileSecurityA, RegDeleteKeyA, RegDeleteValueA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegOpenKeyA, RegSetValueA, RegCloseKey, RegCreateKeyA
SHELL32.dll	DragFinish, DragQueryFileA, ExtractIconA, SHGetFileInfoA, DragAcceptFiles
SHLWAPI.dll	PathRemoveExtensionA, PathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
oledlg.dll
ole32.dll	OleIsCurrentClipboard, OleFlushClipboard, CoRegisterClassObject, CoRevokeClassObject, OleUninitialize, CoFreeUnusedLibraries, OleInitialize, OleLockRunning, CoRegisterMessageFilter, OleSetClipboard, CreateFileMoniker, StgCreateDocfile, CoDisconnectObject, CreateGenericComposite, CreateItemMoniker, CreateStreamOnHGlobal, OleSaveToStream, WriteClassStm, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, CreateDataAdviseHolder, OleRegGetMiscStatus, CreateOleAdviseHolder, OleRegEnumVerbs, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, IsAccelerator, OleTranslateAccelerator, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, CreateBindCtx, StringFromCLSID, OleRegGetUserType, WriteClassStg, CoTaskMemFree, CoLockObjectExternal, OleRun, GetRunningObjectTable, OleIsRunning, StgIsStorageFile, StgOpenStorage
OLEAUT32.dll	SysStringLen, SysStringByteLen, VariantClear, VariantChangeType, VariantInit, SysAllocStringLen, SysFreeString

Exports

Name	Ordinal	Address
Control_RunDLL	1	0x10003680

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
12/01/21-16:12:03.931139	TCP	2404336	ET CNC Feodo Tracker Reported CnC Server TCP group 19	49775	443	192.168.2.4	51.178.61.60

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 1, 2021 16:28:26.747145891 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:26.747189999 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:26.747284889 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:26.767390013 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:26.767416000 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:26.879385948 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:26.879515886 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.288717031 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.288773060 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:27.289160013 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:27.292238951 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.297082901 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.340898037 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:27.545439005 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:27.545545101 CET	443	49750	51.178.61.60	192.168.2.3
Dec 1, 2021 16:28:27.545676947 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.545705080 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.549904108 CET	49750	443	192.168.2.3	51.178.61.60
Dec 1, 2021 16:28:27.549952030 CET	443	49750	51.178.61.60	192.168.2.3

HTTP Request Dependency Graph

51.178.61.60

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49750	51.178.61.60	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Direction	Data
2021-12-01 15:28:27 UTC	OUT	GET /IJkHjHYuxCdTZukieIYhLRnUuQlzcYbcaXcjoFrjtLCdYogUVaLxnRUqnkImC HTTP/1.1 Cookie: PAQTVlsSYfud=hHS8zfpj4oGmf1BJz19EG4wtDXynDI0rFeTsdmFttAYml0/MBamrj2Ji1+m2lK4MZXHf5PYTXhyurxVEhCtf5E7CksirazP0eBUw+b8GIs8/rWhl4ppyDek9yadBnYnu/OP7jMcO7nFENCnAGjQgt+FpnxDYohm38NGKWJk6N/ZfzNClL0fOql6yiXb5Neq5AZNKM6b8yrT50ZGNxEJw32EAn5oFjwpC2CybO6ZMM4S0eF/K8HS28PVDhodiRcpBkFM= Host: 51.178.61.60 Connection: Keep-Alive Cache-Control: no-cache
2021-12-01 15:28:27 UTC	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 01 Dec 2021 15:28:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-12-01 15:28:27 UTC	IN	Data Raw: 33 36 39 0d 0a 2b 2b 07 97 7b 00 e6 e2 9e fa d5 16 b4 e8 42 19 69 9c 55 49 1e 25 02 b8 95 be b2 02 17 d4 62 16 09 8c f1 e3 7d 31 b7 50 fd 58 c3 60 ed 15 b2 c6 93 dc 68 3a 0c b9 ce 3f 7a 50 3c 34 52 1d eb 28 dd 4a 64 36 e8 92 17 ae 01 ff bc 5e 30 24 dc 50 19 15 83 94 72 df 92 ad ac 4e 97 25 08 47 75 1f 69 fe 1e 69 70 75 52 00 8d 9d 1e d5 5e 61 4d 97 69 cb 4a 5c bb 54 d8 04 e3 26 37 d2 38 32 03 a4 11 21 ea e6 fd 47 f3 de 40 87 81 fe 5e 5e 8f 74 7e c9 04 e5 20 55 38 9e 5b 84 2b a1 03 ae 84 c2 ca 9b dc 2e 70 03 80 a2 e5 40 84 3e 09 68 95 e7 fe 44 7c 60 ff 84 1c d1 9f 49 f5 e7 7a 4c c2 c3 68 a0 be c7 91 5c 40 d9 3e 43 06 33 bd 0f fa 2d 76 61 a0 68 60 23 cf 33 75 e9 da 9a 83 8f bd cf 35 e8 8d 02 74 a9 eb eb c5 b1 9a 93 ab 92 ae 0a 8f 63 98 e5 73 13 92 26 56 5f Data Ascii: 369++{BiUI%b}1PX`h:?zP<4R(Jd6^0$PrN%GuiipuR^aMiJ\T&782!G@^^t~ U8[+.p@>hD\|`IzLh\@>C3-vah`#3u5tcs&V_

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 6748 Parent PID: 2988

General

Start time:	16:28:14
Start date:	01/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll"
Imagebase:	0x300000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 6740 Parent PID: 6748

General

Start time:	16:28:15
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5572 Parent PID: 6748

General

Start time:	16:28:15
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll,Control_RunDLL
Imagebase:	0x840000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.295708086.0000000004470000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296174836.0000000004BE1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296473938.0000000004F10000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296324799.0000000004D81000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296432898.0000000004DE1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296540541.0000000004F41000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296066491.0000000004B01000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296034357.0000000004AD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.295759130.00000000044A1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296271084.0000000004D50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296143062.0000000004BB0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000002.00000002.296388886.0000000004DB0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5376 Parent PID: 6740

General

Start time:	16:28:15
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",#1
Imagebase:	0x840000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.294421724.0000000002CA0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000003.00000002.294515907.0000000002D61000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 5144 Parent PID: 572

General

Start time:	16:28:15
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5392 Parent PID: 5376

General

Start time:	16:28:16
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\spZRMihlrkFGqYq1f.dll",Control_RunDLL
Imagebase:	0x840000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 4008 Parent PID: 5572

General

Start time:	16:28:16
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Thkptzp\bxlyirts.twn",wJPKT
Imagebase:	0x840000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.299095986.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000006.00000002.299196346.00000000044A1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 5348 Parent PID: 4008

General

Start time:	16:28:17
Start date:	01/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Thkptzp\bxlyirts.twn",Control_RunDLL
Imagebase:	0x840000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687143531.00000000048A0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.686773719.0000000002E80000.00000040.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688356150.0000000005391000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.686844140.0000000002EB1000.00000020.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687491386.0000000004FD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688282448.0000000005360000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688116591.00000000052A1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687565744.0000000005001000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687927978.0000000005210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688520704.0000000005480000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687727344.00000000050B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.689006243.00000000055C1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687967360.0000000005241000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687815211.00000000050E1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.687213898.00000000049D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688892944.0000000005590000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688613212.00000000054B1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000007.00000002.688043473.0000000005270000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: svchost.exe PID: 6668 Parent PID: 572

General

Start time:	16:28:36
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: svchost.exe PID: 6712 Parent PID: 572

General

Start time:	16:28:54
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: svchost.exe PID: 3928 Parent PID: 572

General

Start time:	16:29:05
Start date:	01/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff70d6e0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report spZRMihlrkFGqYq1f.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution