Windows Analysis Report mal.dll

Overview

General Information

Sample Name: mal.dll
Analysis ID: 532106
MD5: 9efbd03d5576686dd9f0678c09abe9fc
SHA1: 0b821e78137018bbf3f9c67d3b049e33d5b36ae5
SHA256: 972f9350219dcc2df463f923ec5b559f4ab69f083da9ccbd0976c51bc19f3f5b
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Found detection on Joe Sandbox Cloud Basic with higher score
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Checks if the current process is being debugged
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.0.loaddll32.exe.7b0000.0.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Multi AV Scanner detection for submitted file
Source: mal.dll ReversingLabs: Detection: 24%

Compliance:

barindex
Uses 32bit PE files
Source: mal.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: mal.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.673923692.00000000032B2000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.655817193.00000000050F7000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA12FE7 FindFirstFileExW, 3_2_6EA12FE7

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 19
Source: svchost.exe, 0000000A.00000002.699912374.00000203B6E62000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000A.00000002.699638301.00000203B6E11000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)
Source: svchost.exe, 0000000A.00000002.699595506.00000203B6E00000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: Amcache.hve.19.dr String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f020d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.29320e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2dc2098.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2dc2098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.29320e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f020d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.650731221.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.649143533.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676710015.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.649539674.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.620619819.00000000029C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.675954463.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.607531187.0000000002F59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.648863734.0000000002D60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.678039015.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.646384056.000000000291A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.648896656.0000000002EEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.639924880.0000000002DAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.677709015.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.646347873.0000000002780000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.639880819.0000000002C10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.650535103.00000000007B0000.00000040.00000010.sdmp, type: MEMORY

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher score
Source: mal.dll Joe Sandbox Cloud Basic: Detection: malicious Score: 84 Threat Name: Emotet Perma Link
Uses 32bit PE files
Source: mal.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6524 -ip 6524
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ncmurmkelbjyq.yqk:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CF699 3_2_029CF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CAEB9 3_2_029CAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D56A9 3_2_029D56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E06EF 3_2_029E06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DBA18 3_2_029DBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D604E 3_2_029D604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DED95 3_2_029DED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DE7DA 3_2_029DE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D89DA 3_2_029D89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D91F7 3_2_029D91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C5314 3_2_029C5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C8112 3_2_029C8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D3130 3_2_029D3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C8D59 3_2_029C8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C2B7C 3_2_029C2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C196D 3_2_029C196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CD899 3_2_029CD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CC69B 3_2_029CC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C3085 3_2_029C3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D3ABE 3_2_029D3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DB0BA 3_2_029DB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C68AD 3_2_029C68AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D04A4 3_2_029D04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CF4A5 3_2_029CF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D7EDD 3_2_029D7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E0AD3 3_2_029E0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C54C0 3_2_029C54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CE6FD 3_2_029CE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E20F8 3_2_029E20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CBEF5 3_2_029CBEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CA8E8 3_2_029CA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E2C16 3_2_029E2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D1C12 3_2_029D1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CF20D 3_2_029CF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DCC3F 3_2_029DCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C3E3B 3_2_029C3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D0A37 3_2_029D0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D0824 3_2_029D0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D645F 3_2_029D645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DE478 3_2_029DE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E1C71 3_2_029E1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E0C66 3_2_029E0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D6B91 3_2_029D6B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C938F 3_2_029C938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CF984 3_2_029CF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E1987 3_2_029E1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C7D87 3_2_029C7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C33A9 3_2_029C33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D77A7 3_2_029D77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DBFA1 3_2_029DBFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D13DB 3_2_029D13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D4DC5 3_2_029D4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D0FC5 3_2_029D0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C2DC5 3_2_029C2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C5DC3 3_2_029C5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C39C3 3_2_029C39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C6BFE 3_2_029C6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DD5FE 3_2_029DD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C1DF9 3_2_029C1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CB7EC 3_2_029CB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CFBEF 3_2_029CFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E35E3 3_2_029E35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D8518 3_2_029D8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C4716 3_2_029C4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D710D 3_2_029D710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DD10B 3_2_029DD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E3306 3_2_029E3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C7739 3_2_029C7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D473A 3_2_029D473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CE336 3_2_029CE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DCF2C 3_2_029DCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CB12E 3_2_029CB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C6125 3_2_029C6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C635F 3_2_029C635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E2D4F 3_2_029E2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E314A 3_2_029E314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DC145 3_2_029DC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C4F42 3_2_029C4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D5B7C 3_2_029D5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C597D 3_2_029C597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C2575 3_2_029C2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C2176 3_2_029C2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DC772 3_2_029DC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C996C 3_2_029C996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C9565 3_2_029C9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C5166 3_2_029C5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029CDD66 3_2_029CDD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029DF561 3_2_029DF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029E2560 3_2_029E2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F5EA0 3_2_6E9F5EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9FA6D0 3_2_6E9FA6D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9FE6E0 3_2_6E9FE6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F66E0 3_2_6E9F66E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA00F10 3_2_6EA00F10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F1C10 3_2_6E9F1C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F9D50 3_2_6E9F9D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA10A61 3_2_6EA10A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9FD380 3_2_6E9FD380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F38C0 3_2_6E9F38C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA001D0 3_2_6EA001D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C306EF 6_2_02C306EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2ED95 6_2_02C2ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C154C0 6_2_02C154C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C30AD3 6_2_02C30AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C27EDD 6_2_02C27EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1A8E8 6_2_02C1A8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1BEF5 6_2_02C1BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C320F8 6_2_02C320F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1E6FD 6_2_02C1E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C13085 6_2_02C13085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1F699 6_2_02C1F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1D899 6_2_02C1D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1C69B 6_2_02C1C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1F4A5 6_2_02C1F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C204A4 6_2_02C204A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C256A9 6_2_02C256A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C168AD 6_2_02C168AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2B0BA 6_2_02C2B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1AEB9 6_2_02C1AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C23ABE 6_2_02C23ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2604E 6_2_02C2604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2645F 6_2_02C2645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C30C66 6_2_02C30C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C31C71 6_2_02C31C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2E478 6_2_02C2E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1F20D 6_2_02C1F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C21C12 6_2_02C21C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C32C16 6_2_02C32C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2BA18 6_2_02C2BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C20824 6_2_02C20824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C20A37 6_2_02C20A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C13E3B 6_2_02C13E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2CC3F 6_2_02C2CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C15DC3 6_2_02C15DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C139C3 6_2_02C139C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C12DC5 6_2_02C12DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C24DC5 6_2_02C24DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C20FC5 6_2_02C20FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2E7DA 6_2_02C2E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C289DA 6_2_02C289DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C213DB 6_2_02C213DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C335E3 6_2_02C335E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1B7EC 6_2_02C1B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1FBEF 6_2_02C1FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C291F7 6_2_02C291F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C11DF9 6_2_02C11DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2D5FE 6_2_02C2D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C16BFE 6_2_02C16BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C31987 6_2_02C31987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1F984 6_2_02C1F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C17D87 6_2_02C17D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1938F 6_2_02C1938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2BFA1 6_2_02C2BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C277A7 6_2_02C277A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C133A9 6_2_02C133A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C14F42 6_2_02C14F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2C145 6_2_02C2C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C3314A 6_2_02C3314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C32D4F 6_2_02C32D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C18D59 6_2_02C18D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1635F 6_2_02C1635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2F561 6_2_02C2F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C32560 6_2_02C32560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C19565 6_2_02C19565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C15166 6_2_02C15166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1DD66 6_2_02C1DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1196D 6_2_02C1196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1996C 6_2_02C1996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2C772 6_2_02C2C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C12575 6_2_02C12575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C12176 6_2_02C12176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1597D 6_2_02C1597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C12B7C 6_2_02C12B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C25B7C 6_2_02C25B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C33306 6_2_02C33306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2D10B 6_2_02C2D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2710D 6_2_02C2710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C18112 6_2_02C18112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C15314 6_2_02C15314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C14716 6_2_02C14716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C28518 6_2_02C28518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C16125 6_2_02C16125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2CF2C 6_2_02C2CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1B12E 6_2_02C1B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C23130 6_2_02C23130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1E336 6_2_02C1E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C17739 6_2_02C17739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C2473A 6_2_02C2473A
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E9F1C10 appears 91 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6EA0D350 appears 33 times
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Source: mal.dll ReversingLabs: Detection: 24%
Source: mal.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\mal.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,axamexdrqyrgb
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,bhramccfbdd
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ncmurmkelbjyq.yqk",ewrKlpBownvGxgM
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6524 -ip 6524
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 308
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6524 -ip 6524
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 344
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mal.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,axamexdrqyrgb Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,bhramccfbdd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ncmurmkelbjyq.yqk",ewrKlpBownvGxgM Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\mal.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6524 -ip 6524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6524 -ip 6524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 344 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E7D.tmp Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@31/18@0/31
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\mal.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:3732:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:6224:64:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6524
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: mal.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: mal.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: pCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000013.00000002.673923692.00000000032B2000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000013.00000003.655817193.00000000050F7000.00000004.00000001.sdmp, WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000013.00000003.658765535.0000000005971000.00000004.00000001.sdmp, WerFault.exe, 00000015.00000003.689172123.0000000005241000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C151C push ds; ret 3_2_029C1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029C150F push ds; ret 3_2_029C1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA19153 push ecx; ret 3_2_6EA19166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1150F push ds; ret 6_2_02C11527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C1151C push ds; ret 6_2_02C11527
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9FE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 3_2_6E9FE4E0

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ncmurmkelbjyq.yqk Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jxqjexglbxuwcsnd\ncmurmkelbjyq.yqk:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5976 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA12FE7 FindFirstFileExW, 3_2_6EA12FE7
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.19.dr Binary or memory string: VMware
Source: Amcache.hve.19.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: svchost.exe, 0000000A.00000002.699912374.00000203B6E62000.00000004.00000001.sdmp Binary or memory string: "@Hyper-V RAW
Source: Amcache.hve.19.dr Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.19.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.19.dr Binary or memory string: VMware7,1
Source: Amcache.hve.19.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.19.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.19.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 0000000A.00000002.699850495.00000203B6E56000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.698608795.00000203B1829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.19.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.19.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.19.dr Binary or memory string: VMware, Inc.me
Source: Amcache.hve.19.dr Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: rundll32.exe, 00000003.00000003.609001353.0000000002F88000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.19.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.19.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA129E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA129E6
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9FE4E0 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex, 3_2_6E9FE4E0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E9F1290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree, 3_2_6E9F1290
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_029D4315 mov eax, dword ptr fs:[00000030h] 3_2_029D4315
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0C050 mov eax, dword ptr fs:[00000030h] 3_2_6EA0C050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0BFE0 mov esi, dword ptr fs:[00000030h] 3_2_6EA0BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0BFE0 mov eax, dword ptr fs:[00000030h] 3_2_6EA0BFE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA112CB mov ecx, dword ptr fs:[00000030h] 3_2_6EA112CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA1298C mov eax, dword ptr fs:[00000030h] 3_2_6EA1298C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_02C24315 mov eax, dword ptr fs:[00000030h] 6_2_02C24315
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0CB22 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6EA0CB22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA129E6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA129E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0D1CC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6EA0D1CC

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\mal.dll",#1 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6524 -ip 6524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 308 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 6524 -ip 6524 Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6524 -s 344 Jump to behavior
Source: loaddll32.exe, 00000000.00000000.676826928.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.650829854.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.649686961.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678250135.00000000013F0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.699645728.0000000003200000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000000.676826928.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.650829854.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.649686961.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678250135.00000000013F0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.699645728.0000000003200000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000000.676826928.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.650829854.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.649686961.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678250135.00000000013F0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.699645728.0000000003200000.00000002.00020000.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000000.676826928.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.650829854.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.649686961.00000000013F0000.00000002.00020000.sdmp, loaddll32.exe, 00000000.00000000.678250135.00000000013F0000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.699645728.0000000003200000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0CC44 cpuid 3_2_6EA0CC44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6EA0CE15 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_6EA0CE15

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.19.dr, Amcache.hve.LOG1.19.dr Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.19.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.19.dr, Amcache.hve.LOG1.19.dr Binary or memory string: procexp.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2d60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f020d8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2d60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.29320e8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.c42f68.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2dc2098.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2780000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.7b0000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.2780000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.2dc2098.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.29320e8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.2f020d8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.650731221.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.649143533.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.676710015.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.649539674.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.620619819.00000000029C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.675954463.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.607531187.0000000002F59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.648863734.0000000002D60000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.678039015.0000000000C3C000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.646384056.000000000291A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.648896656.0000000002EEA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.639924880.0000000002DAA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.677709015.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.646347873.0000000002780000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.639880819.0000000002C10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.650535103.00000000007B0000.00000040.00000010.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532106 Sample: mal.dll Startdate: 01/12/2021 Architecture: WINDOWS Score: 80 40 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->40 42 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->42 44 27 other IPs or domains 2->44 52 Found malware configuration 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Yara detected Emotet 2->56 58 2 other signatures 2->58 9 loaddll32.exe 1 2->9         started        11 svchost.exe 8 2->11         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 16 rundll32.exe 2 9->16         started        19 cmd.exe 1 9->19         started        21 WerFault.exe 3 9 9->21         started        28 3 other processes 9->28 24 WerFault.exe 11->24         started        26 WerFault.exe 11->26         started        48 127.0.0.1 unknown unknown 13->48 process6 dnsIp7 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->50 30 rundll32.exe 16->30         started        32 rundll32.exe 19->32         started        46 192.168.2.1 unknown unknown 21->46 34 rundll32.exe 28->34         started        36 rundll32.exe 28->36         started        signatures8 process9 process10 38 rundll32.exe 32->38         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Private
IP
192.168.2.1
127.0.0.1