Windows Analysis Report P5LROPCURK

Overview

General Information

Sample Name: P5LROPCURK (renamed file extension from none to dll)
Analysis ID: 532415
MD5: fd07795adccba25223cd6d2886b07636
SHA1: bc72c869accfbb97b213c5ef8c5de400a070b936
SHA256: b777ca4e3c07d59acf57fa180c4d878db1745ae9c78a93228704aa5eadf5a6c8
Tags: 32dllexetrojan
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.2.loaddll32.exe.138f2d0.1.raw.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
Multi AV Scanner detection for submitted file
Source: P5LROPCURK.dll Virustotal: Detection: 26% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: P5LROPCURK.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: P5LROPCURK.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4BA20 FindFirstFileExW, 0_2_6ED4BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED4BA20 FindFirstFileExW, 2_2_6ED4BA20

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 18
Source: svchost.exe, 00000009.00000002.442045893.0000025327813000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.comedsds
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000009.00000003.416792415.000002532784C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.453702600.000002532784D000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.416816556.0000025327843000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416808229.0000025327842000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452132349.0000025327844000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.416816556.0000025327843000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416808229.0000025327842000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452132349.0000025327844000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.458492938.000002532786B000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.408039178.0000025327869000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.416816556.0000025327843000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416808229.0000025327842000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452132349.0000025327844000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.456984917.0000025327861000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416788411.0000025327860000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.416808229.0000025327842000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416797192.0000025327849000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452899257.000002532784A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000009.00000003.416792415.000002532784C000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.453702600.000002532784D000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.416797192.0000025327849000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452899257.000002532784A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.416797192.0000025327849000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452899257.000002532784A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.416777135.0000025327865000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.416784873.0000025327863000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.416816556.0000025327843000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416808229.0000025327842000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.452132349.0000025327844000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000009.00000002.451524746.0000025327841000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.446534383.0000025327829000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.361410520.0000025327835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.361410520.0000025327835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000003.361410520.0000025327835000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.361410520.0000025327835000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.450654860.000002532783E000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000009.00000002.454706391.0000025327856000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416769653.0000025327850000.00000004.00000001.sdmp, svchost.exe, 00000009.00000003.416821086.0000025327855000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.29543b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.138f2d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2fc47e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29543b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2d90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3234f50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.138f2d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2fc47e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3234f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.708035577.000000000321A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.701540322.0000000003365000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.647210731.000000000293A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.647047570.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.707972883.0000000003120000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.649442718.0000000002D90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.701500859.0000000003130000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707533149.0000000000F80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707566483.000000000136B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.649592685.0000000002FAA000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: P5LROPCURK.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Itfgfdekendecpnp\cibm.oux:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Itfgfdekendecpnp\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA06EF 0_2_00FA06EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9ED95 0_2_00F9ED95
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA20F8 0_2_00FA20F8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8E6FD 0_2_00F8E6FD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8BEF5 0_2_00F8BEF5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8A8E8 0_2_00F8A8E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F97EDD 0_2_00F97EDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA0AD3 0_2_00FA0AD3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F854C0 0_2_00F854C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8AEB9 0_2_00F8AEB9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9B0BA 0_2_00F9B0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F93ABE 0_2_00F93ABE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F956A9 0_2_00F956A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F868AD 0_2_00F868AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F904A4 0_2_00F904A4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8F4A5 0_2_00F8F4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8F699 0_2_00F8F699
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8D899 0_2_00F8D899
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8C69B 0_2_00F8C69B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F83085 0_2_00F83085
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9E478 0_2_00F9E478
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA1C71 0_2_00FA1C71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA0C66 0_2_00FA0C66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9645F 0_2_00F9645F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9604E 0_2_00F9604E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F83E3B 0_2_00F83E3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9CC3F 0_2_00F9CC3F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F90A37 0_2_00F90A37
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F90824 0_2_00F90824
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9BA18 0_2_00F9BA18
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F91C12 0_2_00F91C12
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA2C16 0_2_00FA2C16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8F20D 0_2_00F8F20D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F81DF9 0_2_00F81DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F86BFE 0_2_00F86BFE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9D5FE 0_2_00F9D5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F991F7 0_2_00F991F7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8B7EC 0_2_00F8B7EC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8FBEF 0_2_00F8FBEF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA35E3 0_2_00FA35E3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F913DB 0_2_00F913DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9E7DA 0_2_00F9E7DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F989DA 0_2_00F989DA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F85DC3 0_2_00F85DC3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F839C3 0_2_00F839C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F94DC5 0_2_00F94DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F90FC5 0_2_00F90FC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F82DC5 0_2_00F82DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F833A9 0_2_00F833A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9BFA1 0_2_00F9BFA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F977A7 0_2_00F977A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F96B91 0_2_00F96B91
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8938F 0_2_00F8938F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8F984 0_2_00F8F984
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA1987 0_2_00FA1987
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F87D87 0_2_00F87D87
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F82B7C 0_2_00F82B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F95B7C 0_2_00F95B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8597D 0_2_00F8597D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9C772 0_2_00F9C772
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F82575 0_2_00F82575
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F82176 0_2_00F82176
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8996C 0_2_00F8996C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8196D 0_2_00F8196D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9F561 0_2_00F9F561
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA2560 0_2_00FA2560
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F89565 0_2_00F89565
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F85166 0_2_00F85166
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8DD66 0_2_00F8DD66
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F88D59 0_2_00F88D59
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8635F 0_2_00F8635F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA314A 0_2_00FA314A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA2D4F 0_2_00FA2D4F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F84F42 0_2_00F84F42
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9C145 0_2_00F9C145
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F87739 0_2_00F87739
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9473A 0_2_00F9473A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F93130 0_2_00F93130
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8E336 0_2_00F8E336
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9CF2C 0_2_00F9CF2C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8B12E 0_2_00F8B12E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F86125 0_2_00F86125
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F98518 0_2_00F98518
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F88112 0_2_00F88112
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F85314 0_2_00F85314
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F84716 0_2_00F84716
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9D10B 0_2_00F9D10B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F9710D 0_2_00F9710D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00FA3306 0_2_00FA3306
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED25980 0_2_6ED25980
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED26100 0_2_6ED26100
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4AE28 0_2_6ED4AE28
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED51F65 0_2_6ED51F65
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED32C70 0_2_6ED32C70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED41D50 0_2_6ED41D50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED22D10 0_2_6ED22D10
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3FD1F 0_2_6ED3FD1F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED558EF 0_2_6ED558EF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2E6B0 0_2_6ED2E6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED557CB 0_2_6ED557CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED50569 0_2_6ED50569
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED29380 0_2_6ED29380
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3C366 0_2_6ED3C366
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3C132 0_2_6ED3C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED25980 2_2_6ED25980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED26100 2_2_6ED26100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED4AE28 2_2_6ED4AE28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED51F65 2_2_6ED51F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED32C70 2_2_6ED32C70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED41D50 2_2_6ED41D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED22D10 2_2_6ED22D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED3FD1F 2_2_6ED3FD1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED558EF 2_2_6ED558EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED2E6B0 2_2_6ED2E6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED557CB 2_2_6ED557CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED50569 2_2_6ED50569
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED29380 2_2_6ED29380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED3C366 2_2_6ED3C366
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED3C132 2_2_6ED3C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E06EF 3_2_005E06EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DED95 3_2_005DED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D645F 3_2_005D645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D604E 3_2_005D604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DE478 3_2_005DE478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E1C71 3_2_005E1C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E0C66 3_2_005E0C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DBA18 3_2_005DBA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E2C16 3_2_005E2C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D1C12 3_2_005D1C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CF20D 3_2_005CF20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DCC3F 3_2_005DCC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C3E3B 3_2_005C3E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D0A37 3_2_005D0A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D0824 3_2_005D0824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D7EDD 3_2_005D7EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E0AD3 3_2_005E0AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C54C0 3_2_005C54C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CE6FD 3_2_005CE6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E20F8 3_2_005E20F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CBEF5 3_2_005CBEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CA8E8 3_2_005CA8E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CF699 3_2_005CF699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CD899 3_2_005CD899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CC69B 3_2_005CC69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C3085 3_2_005C3085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D3ABE 3_2_005D3ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CAEB9 3_2_005CAEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DB0BA 3_2_005DB0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C68AD 3_2_005C68AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D56A9 3_2_005D56A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D04A4 3_2_005D04A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CF4A5 3_2_005CF4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C635F 3_2_005C635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C8D59 3_2_005C8D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E2D4F 3_2_005E2D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E314A 3_2_005E314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DC145 3_2_005DC145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C4F42 3_2_005C4F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C2B7C 3_2_005C2B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D5B7C 3_2_005D5B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C597D 3_2_005C597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C2575 3_2_005C2575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C2176 3_2_005C2176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DC772 3_2_005DC772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C996C 3_2_005C996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C196D 3_2_005C196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C9565 3_2_005C9565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C5166 3_2_005C5166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CDD66 3_2_005CDD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DF561 3_2_005DF561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E2560 3_2_005E2560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D8518 3_2_005D8518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C5314 3_2_005C5314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C4716 3_2_005C4716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C8112 3_2_005C8112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D710D 3_2_005D710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DD10B 3_2_005DD10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E3306 3_2_005E3306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C7739 3_2_005C7739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D473A 3_2_005D473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CE336 3_2_005CE336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D3130 3_2_005D3130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DCF2C 3_2_005DCF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CB12E 3_2_005CB12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C6125 3_2_005C6125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D13DB 3_2_005D13DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DE7DA 3_2_005DE7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D89DA 3_2_005D89DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D4DC5 3_2_005D4DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D0FC5 3_2_005D0FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C2DC5 3_2_005C2DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C5DC3 3_2_005C5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C39C3 3_2_005C39C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C6BFE 3_2_005C6BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DD5FE 3_2_005DD5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C1DF9 3_2_005C1DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D91F7 3_2_005D91F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CB7EC 3_2_005CB7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CFBEF 3_2_005CFBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E35E3 3_2_005E35E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D6B91 3_2_005D6B91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C938F 3_2_005C938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005CF984 3_2_005CF984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005E1987 3_2_005E1987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C7D87 3_2_005C7D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C33A9 3_2_005C33A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D77A7 3_2_005D77A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005DBFA1 3_2_005DBFA1
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6ED34F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6ED34F90 appears 52 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED21230 ntlbxpnmpq, 0_2_6ED21230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED21230 ntlbxpnmpq, 2_2_6ED21230
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: P5LROPCURK.dll Binary or memory string: OriginalFilenameYlncpiqzme.dll6 vs P5LROPCURK.dll
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: P5LROPCURK.dll Virustotal: Detection: 26%
Source: P5LROPCURK.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,agrwqhxohbh
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,aoydsyidkopcdbcv
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Itfgfdekendecpnp\cibm.oux",wUSgoatRqMcfEKj
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,agrwqhxohbh Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,aoydsyidkopcdbcv Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Itfgfdekendecpnp\cibm.oux",wUSgoatRqMcfEKj Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@30/2@0/29
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED2AF10 CoCreateInstance,OleRun, 0_2_6ED2AF10
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\P5LROPCURK.dll,Control_RunDLL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5764:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED25980 GetTickCount64,FindResourceA, 0_2_6ED25980
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: P5LROPCURK.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: P5LROPCURK.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: P5LROPCURK.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: P5LROPCURK.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: P5LROPCURK.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: P5LROPCURK.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8151C push ds; ret 0_2_00F81527
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F8150F push ds; ret 0_2_00F81527
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED34FE0 push ecx; ret 0_2_6ED34FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED573E1 push ecx; ret 0_2_6ED573F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED34FE0 push ecx; ret 2_2_6ED34FF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED573E1 push ecx; ret 2_2_6ED573F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C151C push ds; ret 3_2_005C1527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005C150F push ds; ret 3_2_005C1527
PE file contains an invalid checksum
Source: P5LROPCURK.dll Static PE information: real checksum: 0x75999 should be: 0x74ae0

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Itfgfdekendecpnp\cibm.oux Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Itfgfdekendecpnp\cibm.oux:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED26134 second address: 000000006ED26168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD23CD6A744h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED279F7 second address: 000000006ED27A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD23C7587EEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED27A0A second address: 000000006ED279F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD23CD76E67h 0x00000014 cmp ecx, dword ptr [6ED6D008h] 0x0000001a jne 00007FD23CD6A723h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD23CD6A72Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD23CD6A882h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD23CD6A8EEh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD23CD6A57Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD23CD6BC83h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6ED6D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED26134 second address: 000000006ED26168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD23C758804h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED279F7 second address: 000000006ED27A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD23CD6A72Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006ED27A0A second address: 000000006ED279F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD23C764F27h 0x00000014 cmp ecx, dword ptr [6ED6D008h] 0x0000001a jne 00007FD23C7587E3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD23C7587EFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD23C758942h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD23C7589AEh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD23C75863Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD23C759D43h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6ED6D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006ED26134 second address: 000000006ED26168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD23CD6A744h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006ED279F7 second address: 000000006ED27A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD23C7587EEh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006ED27A0A second address: 000000006ED279F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD23CD76E67h 0x00000014 cmp ecx, dword ptr [6ED6D008h] 0x0000001a jne 00007FD23CD6A723h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD23CD6A72Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD23CD6A882h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD23CD6A8EEh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD23CD6A57Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD23CD6BC83h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6ED6D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED26100 rdtscp 0_2_6ED26100
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4BA20 FindFirstFileExW, 0_2_6ED4BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED4BA20 FindFirstFileExW, 2_2_6ED4BA20
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000006.00000002.789636149.0000029A10E41000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.789610389.000001FBA0E29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED34E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED34E67
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3744C GetProcessHeap,HeapFree, 0_2_6ED3744C
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED26100 rdtscp 0_2_6ED26100
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00F94315 mov eax, dword ptr fs:[00000030h] 0_2_00F94315
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED26100 mov eax, dword ptr fs:[00000030h] 0_2_6ED26100
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED26100 mov eax, dword ptr fs:[00000030h] 0_2_6ED26100
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED44F94 mov eax, dword ptr fs:[00000030h] 0_2_6ED44F94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED27A30 mov eax, dword ptr fs:[00000030h] 0_2_6ED27A30
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED4B715 mov eax, dword ptr fs:[00000030h] 0_2_6ED4B715
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED37334 mov esi, dword ptr fs:[00000030h] 0_2_6ED37334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED26100 mov eax, dword ptr fs:[00000030h] 2_2_6ED26100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED26100 mov eax, dword ptr fs:[00000030h] 2_2_6ED26100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED44F94 mov eax, dword ptr fs:[00000030h] 2_2_6ED44F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED27A30 mov eax, dword ptr fs:[00000030h] 2_2_6ED27A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED4B715 mov eax, dword ptr fs:[00000030h] 2_2_6ED4B715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED37334 mov esi, dword ptr fs:[00000030h] 2_2_6ED37334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_005D4315 mov eax, dword ptr fs:[00000030h] 3_2_005D4315
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED34E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED34E67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6ED3461A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED3D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6ED3D436
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED34E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6ED34E67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED3461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6ED3461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6ED3D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6ED3D436

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\P5LROPCURK.dll",#1 Jump to behavior
Source: rundll32.exe, 00000011.00000002.791816702.0000000002CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000011.00000002.791816702.0000000002CB0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000011.00000002.791816702.0000000002CB0000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000011.00000002.791816702.0000000002CB0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000011.00000002.791816702.0000000002CB0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6ED54EAC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6ED4CE41
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6ED54F7F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6ED54C7C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6ED54DA4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6ED54A27
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6ED548B6
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6ED5480D
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6ED5499C
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6ED4C982
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6ED54901
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6ED54610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6ED54EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6ED4CE41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6ED54F7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6ED54C7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6ED54DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6ED54A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6ED548B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6ED5480D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6ED5499C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6ED4C982
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6ED54901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6ED54610
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED34C86 cpuid 0_2_6ED34C86
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6ED34FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6ED34FF7

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 0000000B.00000002.790249875.0000027A2B502000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.29543b0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.138f2d0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2fc47e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.29543b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3120000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2d90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3234f50.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.138f2d0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.2fc47e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.5c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.f80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3234f50.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.3130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.3120000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.708035577.000000000321A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.701540322.0000000003365000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.647210731.000000000293A000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.647047570.00000000005C0000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.707972883.0000000003120000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.649442718.0000000002D90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.701500859.0000000003130000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707533149.0000000000F80000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.707566483.000000000136B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.649592685.0000000002FAA000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532415 Sample: P5LROPCURK Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 41 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->41 43 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->43 45 27 other IPs or domains 2->45 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected Emotet 2->55 57 C2 URLs / IPs found in malware configuration 2->57 9 loaddll32.exe 1 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 6 2->14         started        16 4 other processes 2->16 signatures3 process4 signatures5 59 Tries to detect virtualization through RDTSC time measurements 9->59 18 rundll32.exe 2 9->18         started        21 cmd.exe 1 9->21         started        23 rundll32.exe 9->23         started        27 2 other processes 9->27 61 Changes security center settings (notifications, updates, antivirus, firewall) 12->61 25 MpCmdRun.exe 1 12->25         started        process6 signatures7 47 Tries to detect virtualization through RDTSC time measurements 18->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->49 29 rundll32.exe 18->29         started        31 rundll32.exe 21->31         started        33 rundll32.exe 23->33         started        35 conhost.exe 25->35         started        37 rundll32.exe 27->37         started        process8 process9 39 rundll32.exe 31->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true