Windows Analysis Report UioA2E9DBG

Overview

General Information

Sample Name: UioA2E9DBG (renamed file extension from none to dll)
Analysis ID: 532429
MD5: 6988533cf7cbdccd0ea429571e0441a9
SHA1: 27836d3e04a31548fa09ec8537ba50777a73a42a
SHA256: 8d6912a12fdccb3d6d55980c3b1fd20cc97a2736d3381e315657a3d6f2f8d1b3
Tags: 32dllexe
Infos:

Most interesting Screenshot:

Detection

Emotet
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Emotet
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.rundll32.exe.1130000.1.unpack Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2"]}
Multi AV Scanner detection for submitted file
Source: UioA2E9DBG.dll Virustotal: Detection: 23% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: UioA2E9DBG.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: UioA2E9DBG.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E91BA20 FindFirstFileExW, 1_2_6E91BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E91BA20 FindFirstFileExW, 4_2_6E91BA20

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 46.55.222.11:443
Source: Malware configuration extractor IPs: 104.245.52.73:8080
Source: Malware configuration extractor IPs: 41.76.108.46:8080
Source: Malware configuration extractor IPs: 103.8.26.103:8080
Source: Malware configuration extractor IPs: 185.184.25.237:8080
Source: Malware configuration extractor IPs: 103.8.26.102:8080
Source: Malware configuration extractor IPs: 203.114.109.124:443
Source: Malware configuration extractor IPs: 45.118.115.99:8080
Source: Malware configuration extractor IPs: 178.79.147.66:8080
Source: Malware configuration extractor IPs: 58.227.42.236:80
Source: Malware configuration extractor IPs: 45.118.135.203:7080
Source: Malware configuration extractor IPs: 103.75.201.2:443
Source: Malware configuration extractor IPs: 195.154.133.20:443
Source: Malware configuration extractor IPs: 45.142.114.231:8080
Source: Malware configuration extractor IPs: 212.237.5.209:443
Source: Malware configuration extractor IPs: 207.38.84.195:8080
Source: Malware configuration extractor IPs: 104.251.214.46:8080
Source: Malware configuration extractor IPs: 212.237.17.99:8080
Source: Malware configuration extractor IPs: 212.237.56.116:7080
Source: Malware configuration extractor IPs: 216.158.226.206:443
Source: Malware configuration extractor IPs: 110.232.117.186:8080
Source: Malware configuration extractor IPs: 158.69.222.101:443
Source: Malware configuration extractor IPs: 107.182.225.142:8080
Source: Malware configuration extractor IPs: 176.104.106.96:8080
Source: Malware configuration extractor IPs: 81.0.236.90:443
Source: Malware configuration extractor IPs: 50.116.54.215:443
Source: Malware configuration extractor IPs: 138.185.72.26:8080
Source: Malware configuration extractor IPs: 51.68.175.8:8080
Source: Malware configuration extractor IPs: 210.57.217.132:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View IP Address: 212.237.17.99 212.237.17.99
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 19
Source: svchost.exe, 0000000A.00000002.829573302.000001EA7E261000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000A.00000002.829416267.000001EA7E219000.00000004.00000001.sdmp String found in binary or memory: http://crl.ver)

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.113eef0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.113eef0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.d64248.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.6f4270.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1130000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.dd4318.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.d64248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.6f4270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.dd4318.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.684418715.0000000000380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.696991092.0000000000D90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.828298416.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.694340801.0000000000A30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684454921.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.683073019.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.694486235.0000000000AB6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.696143071.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.683120624.0000000001130000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.828605995.00000000009D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.697195816.000000000111B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.696221862.0000000000D4A000.00000004.00000020.sdmp, type: MEMORY

System Summary:

barindex
Uses 32bit PE files
Source: UioA2E9DBG.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Jsczeisswlgpw\ifzwhxr.fpp:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Jsczeisswlgpw\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB06EF 1_2_00DB06EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAED95 1_2_00DAED95
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA7EDD 1_2_00DA7EDD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB0AD3 1_2_00DB0AD3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D954C0 1_2_00D954C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB20F8 1_2_00DB20F8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9E6FD 1_2_00D9E6FD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9BEF5 1_2_00D9BEF5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9A8E8 1_2_00D9A8E8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9F699 1_2_00D9F699
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9D899 1_2_00D9D899
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9C69B 1_2_00D9C69B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D93085 1_2_00D93085
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAB0BA 1_2_00DAB0BA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9AEB9 1_2_00D9AEB9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA3ABE 1_2_00DA3ABE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA56A9 1_2_00DA56A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D968AD 1_2_00D968AD
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9F4A5 1_2_00D9F4A5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA04A4 1_2_00DA04A4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA645F 1_2_00DA645F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA604E 1_2_00DA604E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAE478 1_2_00DAE478
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB1C71 1_2_00DB1C71
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB0C66 1_2_00DB0C66
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DABA18 1_2_00DABA18
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA1C12 1_2_00DA1C12
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2C16 1_2_00DB2C16
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9F20D 1_2_00D9F20D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D93E3B 1_2_00D93E3B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DACC3F 1_2_00DACC3F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA0A37 1_2_00DA0A37
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA0824 1_2_00DA0824
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAE7DA 1_2_00DAE7DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA89DA 1_2_00DA89DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA13DB 1_2_00DA13DB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D95DC3 1_2_00D95DC3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D939C3 1_2_00D939C3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D92DC5 1_2_00D92DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA4DC5 1_2_00DA4DC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA0FC5 1_2_00DA0FC5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D91DF9 1_2_00D91DF9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAD5FE 1_2_00DAD5FE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D96BFE 1_2_00D96BFE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA91F7 1_2_00DA91F7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9B7EC 1_2_00D9B7EC
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9FBEF 1_2_00D9FBEF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB35E3 1_2_00DB35E3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9938F 1_2_00D9938F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB1987 1_2_00DB1987
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9F984 1_2_00D9F984
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D97D87 1_2_00D97D87
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D933A9 1_2_00D933A9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DABFA1 1_2_00DABFA1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA77A7 1_2_00DA77A7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D98D59 1_2_00D98D59
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9635F 1_2_00D9635F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB314A 1_2_00DB314A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2D4F 1_2_00DB2D4F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D94F42 1_2_00D94F42
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAC145 1_2_00DAC145
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9597D 1_2_00D9597D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D92B7C 1_2_00D92B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA5B7C 1_2_00DA5B7C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAC772 1_2_00DAC772
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D92575 1_2_00D92575
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D92176 1_2_00D92176
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9196D 1_2_00D9196D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9996C 1_2_00D9996C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAF561 1_2_00DAF561
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB2560 1_2_00DB2560
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D99565 1_2_00D99565
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D95166 1_2_00D95166
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9DD66 1_2_00D9DD66
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA8518 1_2_00DA8518
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D98112 1_2_00D98112
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D95314 1_2_00D95314
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D94716 1_2_00D94716
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DAD10B 1_2_00DAD10B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA710D 1_2_00DA710D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DB3306 1_2_00DB3306
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D97739 1_2_00D97739
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA473A 1_2_00DA473A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA3130 1_2_00DA3130
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9E336 1_2_00D9E336
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DACF2C 1_2_00DACF2C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9B12E 1_2_00D9B12E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D96125 1_2_00D96125
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F5980 1_2_6E8F5980
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F6100 1_2_6E8F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E91AE28 1_2_6E91AE28
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E921F65 1_2_6E921F65
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E902C70 1_2_6E902C70
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90FD1F 1_2_6E90FD1F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F2D10 1_2_6E8F2D10
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E911D50 1_2_6E911D50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E9258EF 1_2_6E9258EF
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8FE6B0 1_2_6E8FE6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E9257CB 1_2_6E9257CB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E920569 1_2_6E920569
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F9380 1_2_6E8F9380
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90C366 1_2_6E90C366
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90C132 1_2_6E90C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F5980 4_2_6E8F5980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F6100 4_2_6E8F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E91AE28 4_2_6E91AE28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E921F65 4_2_6E921F65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E902C70 4_2_6E902C70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E90FD1F 4_2_6E90FD1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F2D10 4_2_6E8F2D10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E911D50 4_2_6E911D50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E9258EF 4_2_6E9258EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8FE6B0 4_2_6E8FE6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E9257CB 4_2_6E9257CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E920569 4_2_6E920569
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F9380 4_2_6E8F9380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E90C366 4_2_6E90C366
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E90C132 4_2_6E90C132
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114ED95 5_2_0114ED95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011506EF 5_2_011506EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01138112 5_2_01138112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01134716 5_2_01134716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01135314 5_2_01135314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01148518 5_2_01148518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01153306 5_2_01153306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114710D 5_2_0114710D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114D10B 5_2_0114D10B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01143130 5_2_01143130
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113E336 5_2_0113E336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01137739 5_2_01137739
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114473A 5_2_0114473A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01136125 5_2_01136125
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114CF2C 5_2_0114CF2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113B12E 5_2_0113B12E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01138D59 5_2_01138D59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113635F 5_2_0113635F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01134F42 5_2_01134F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114C145 5_2_0114C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01152D4F 5_2_01152D4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0115314A 5_2_0115314A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01132176 5_2_01132176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114C772 5_2_0114C772
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01132575 5_2_01132575
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01145B7C 5_2_01145B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113597D 5_2_0113597D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01132B7C 5_2_01132B7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114F561 5_2_0114F561
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01135166 5_2_01135166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113DD66 5_2_0113DD66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01152560 5_2_01152560
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01139565 5_2_01139565
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113196D 5_2_0113196D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113996C 5_2_0113996C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01151987 5_2_01151987
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01137D87 5_2_01137D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113F984 5_2_0113F984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113938F 5_2_0113938F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011477A7 5_2_011477A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114BFA1 5_2_0114BFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011333A9 5_2_011333A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114E7DA 5_2_0114E7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011489DA 5_2_011489DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011413DB 5_2_011413DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01135DC3 5_2_01135DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011339C3 5_2_011339C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01144DC5 5_2_01144DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01140FC5 5_2_01140FC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01132DC5 5_2_01132DC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011491F7 5_2_011491F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01131DF9 5_2_01131DF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114D5FE 5_2_0114D5FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01136BFE 5_2_01136BFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011535E3 5_2_011535E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113FBEF 5_2_0113FBEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113B7EC 5_2_0113B7EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01152C16 5_2_01152C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01141C12 5_2_01141C12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114BA18 5_2_0114BA18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113F20D 5_2_0113F20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01140A37 5_2_01140A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01133E3B 5_2_01133E3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114CC3F 5_2_0114CC3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01140824 5_2_01140824
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114645F 5_2_0114645F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114604E 5_2_0114604E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01151C71 5_2_01151C71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114E478 5_2_0114E478
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01150C66 5_2_01150C66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113C69B 5_2_0113C69B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113F699 5_2_0113F699
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113D899 5_2_0113D899
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01133085 5_2_01133085
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01143ABE 5_2_01143ABE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113AEB9 5_2_0113AEB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0114B0BA 5_2_0114B0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011404A4 5_2_011404A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113F4A5 5_2_0113F4A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011456A9 5_2_011456A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011368AD 5_2_011368AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01150AD3 5_2_01150AD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01147EDD 5_2_01147EDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011354C0 5_2_011354C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113BEF5 5_2_0113BEF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_011520F8 5_2_011520F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113E6FD 5_2_0113E6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113A8E8 5_2_0113A8E8
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E904F90 appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E904F90 appears 52 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F1230 ntlbxpnmpq, 1_2_6E8F1230
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F1230 ntlbxpnmpq, 4_2_6E8F1230
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: UioA2E9DBG.dll Binary or memory string: OriginalFilenameYlncpiqzme.dll6 vs UioA2E9DBG.dll
Source: UioA2E9DBG.dll Virustotal: Detection: 23%
Source: UioA2E9DBG.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jsczeisswlgpw\ifzwhxr.fpp",gqJNgJRYaqyk
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,agrwqhxohbh Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,aoydsyidkopcdbcv Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jsczeisswlgpw\ifzwhxr.fpp",gqJNgJRYaqyk Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winDLL@22/4@0/30
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8FAF10 CoCreateInstance,OleRun, 1_2_6E8FAF10
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\UioA2E9DBG.dll,Control_RunDLL
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F5980 GetTickCount64,FindResourceA, 1_2_6E8F5980
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: UioA2E9DBG.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: UioA2E9DBG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: UioA2E9DBG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: UioA2E9DBG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: UioA2E9DBG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: UioA2E9DBG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9151C push ds; ret 1_2_00D91527
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00D9150F push ds; ret 1_2_00D91527
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E904FE0 push ecx; ret 1_2_6E904FF3
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8FE240 push esi; ret 1_2_6E8FE242
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E9273E1 push ecx; ret 1_2_6E9273F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E904FE0 push ecx; ret 4_2_6E904FF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8FE240 push esi; ret 4_2_6E8FE242
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E9273E1 push ecx; ret 4_2_6E9273F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113151C push ds; ret 5_2_01131527
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0113150F push ds; ret 5_2_01131527
PE file contains an invalid checksum
Source: UioA2E9DBG.dll Static PE information: real checksum: 0x75999 should be: 0x74f7b

Persistence and Installation Behavior:

barindex
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Jsczeisswlgpw\ifzwhxr.fpp Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jsczeisswlgpw\ifzwhxr.fpp:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F6134 second address: 000000006E8F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FEE48EA84B4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F79F7 second address: 000000006E8F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FEE48B5C3DEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F7A0A second address: 000000006E8F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FEE48EB4BD7h 0x00000014 cmp ecx, dword ptr [6E93D008h] 0x0000001a jne 00007FEE48EA8493h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FEE48EA849Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FEE48EA85F2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FEE48EA865Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FEE48EA82EEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FEE48EA99F3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E93D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F6134 second address: 000000006E8F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FEE48B5C3F4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F79F7 second address: 000000006E8F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FEE48EA849Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E8F7A0A second address: 000000006E8F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FEE48B68B17h 0x00000014 cmp ecx, dword ptr [6E93D008h] 0x0000001a jne 00007FEE48B5C3D3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FEE48B5C3DFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FEE48B5C532h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FEE48B5C59Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FEE48B5C22Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FEE48B5D933h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E93D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E8F6134 second address: 000000006E8F6168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FEE48EA84B4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E8F79F7 second address: 000000006E8F7A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FEE48B5C3DEh 0x00000007 rdtscp
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 000000006E8F7A0A second address: 000000006E8F79F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FEE48EB4BD7h 0x00000014 cmp ecx, dword ptr [6E93D008h] 0x0000001a jne 00007FEE48EA8493h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FEE48EA849Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FEE48EA85F2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FEE48EA865Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FEE48EA82EEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FEE48EA99F3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E93D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6540 Thread sleep time: -30000s >= -30000s Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F6100 rdtscp 1_2_6E8F6100
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E91BA20 FindFirstFileExW, 1_2_6E91BA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E91BA20 FindFirstFileExW, 4_2_6E91BA20
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000A.00000002.828305794.000001EA7CC29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@P&~
Source: svchost.exe, 0000000A.00000002.829573302.000001EA7E261000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.829529101.000001EA7E254000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E904E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E904E67
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90744C GetProcessHeap,HeapFree, 1_2_6E90744C
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F6100 rdtscp 1_2_6E8F6100
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_00DA4315 mov eax, dword ptr fs:[00000030h] 1_2_00DA4315
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F6100 mov eax, dword ptr fs:[00000030h] 1_2_6E8F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F6100 mov eax, dword ptr fs:[00000030h] 1_2_6E8F6100
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E914F94 mov eax, dword ptr fs:[00000030h] 1_2_6E914F94
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E8F7A30 mov eax, dword ptr fs:[00000030h] 1_2_6E8F7A30
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E91B715 mov eax, dword ptr fs:[00000030h] 1_2_6E91B715
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E907334 mov esi, dword ptr fs:[00000030h] 1_2_6E907334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F6100 mov eax, dword ptr fs:[00000030h] 4_2_6E8F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F6100 mov eax, dword ptr fs:[00000030h] 4_2_6E8F6100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E914F94 mov eax, dword ptr fs:[00000030h] 4_2_6E914F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E8F7A30 mov eax, dword ptr fs:[00000030h] 4_2_6E8F7A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E91B715 mov eax, dword ptr fs:[00000030h] 4_2_6E91B715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E907334 mov esi, dword ptr fs:[00000030h] 4_2_6E907334
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01144315 mov eax, dword ptr fs:[00000030h] 5_2_01144315
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E904E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E904E67
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6E90461A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E90D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E90D436
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E904E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E904E67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E90461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E90461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E90D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E90D436

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\UioA2E9DBG.dll",#1 Jump to behavior
Source: rundll32.exe, 0000000E.00000002.829511737.00000000032E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.829511737.00000000032E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.829511737.00000000032E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.829511737.00000000032E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E924EAC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E91CE41
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E924F7F
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E924C7C
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6E924DA4
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E924A27
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E9248B6
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E92480D
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E92499C
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E91C982
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E924901
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_6E924610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E924EAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E91CE41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E924F7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E924C7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E924DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E924A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E9248B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E92480D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E92499C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E91C982
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E924901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6E924610
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E904C86 cpuid 1_2_6E904C86
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E904FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_6E904FF7

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 1.2.loaddll32.exe.113eef0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.113eef0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.d64248.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.6f4270.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1130000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.dd4318.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.d64248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.b10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.380000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.8e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.380000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.6f4270.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.a30000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.8e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.dd4318.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.1130000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.684418715.0000000000380000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.696991092.0000000000D90000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.828298416.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.694340801.0000000000A30000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.684454921.00000000006DA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.683073019.0000000000DBA000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.694486235.0000000000AB6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.696143071.0000000000B10000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.683120624.0000000001130000.00000040.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.828605995.00000000009D5000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.697195816.000000000111B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.696221862.0000000000D4A000.00000004.00000020.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 532429 Sample: UioA2E9DBG Startdate: 02/12/2021 Architecture: WINDOWS Score: 80 34 210.57.217.132 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->34 36 203.114.109.124 TOT-LLI-AS-APTOTPublicCompanyLimitedTH Thailand 2->36 38 27 other IPs or domains 2->38 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Emotet 2->46 48 C2 URLs / IPs found in malware configuration 2->48 9 loaddll32.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 50 Tries to detect virtualization through RDTSC time measurements 9->50 15 rundll32.exe 2 9->15         started        18 cmd.exe 1 9->18         started        20 rundll32.exe 9->20         started        22 2 other processes 9->22 40 127.0.0.1 unknown unknown 12->40 signatures6 process7 signatures8 52 Found potential dummy code loops (likely to delay analysis) 15->52 54 Tries to detect virtualization through RDTSC time measurements 15->54 56 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->56 24 rundll32.exe 15->24         started        26 rundll32.exe 18->26         started        28 rundll32.exe 20->28         started        30 rundll32.exe 22->30         started        process9 process10 32 rundll32.exe 26->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.154.133.20
 unknown France
12876 OnlineSASFR true
212.237.17.99
 unknown Italy
31034 ARUBA-ASNIT true
110.232.117.186
 unknown Australia
56038 RACKCORP-APRackCorpAU true
104.245.52.73
 unknown United States
63251 METRO-WIRELESSUS true
138.185.72.26
 unknown Brazil
264343 EmpasoftLtdaMeBR true
81.0.236.90
 unknown Czech Republic
15685 CASABLANCA-ASInternetCollocationProviderCZ true
45.118.115.99
 unknown Indonesia
131717 IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID true
103.75.201.2
 unknown Thailand
133496 CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH true
216.158.226.206
 unknown United States
19318 IS-AS-1US true
107.182.225.142
 unknown United States
32780 HOSTINGSERVICES-INCUS true
45.118.135.203
 unknown Japan 63949 LINODE-APLinodeLLCUS true
50.116.54.215
 unknown United States
63949 LINODE-APLinodeLLCUS true
51.68.175.8
 unknown France
16276 OVHFR true
103.8.26.102
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
46.55.222.11
 unknown Bulgaria
34841 BALCHIKNETBG true
41.76.108.46
 unknown South Africa
327979 DIAMATRIXZA true
103.8.26.103
 unknown Malaysia
132241 SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY true
178.79.147.66
 unknown United Kingdom
63949 LINODE-APLinodeLLCUS true
212.237.5.209
 unknown Italy
31034 ARUBA-ASNIT true
176.104.106.96
 unknown Serbia
198371 NINETRS true
207.38.84.195
 unknown United States
30083 AS-30083-GO-DADDY-COM-LLCUS true
212.237.56.116
 unknown Italy
31034 ARUBA-ASNIT true
45.142.114.231
 unknown Germany
44066 DE-FIRSTCOLOwwwfirst-colonetDE true
203.114.109.124
 unknown Thailand
131293 TOT-LLI-AS-APTOTPublicCompanyLimitedTH true
210.57.217.132
 unknown Indonesia
38142 UNAIR-AS-IDUniversitasAirlanggaID true
58.227.42.236
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
185.184.25.237
 unknown Turkey
209711 MUVHOSTTR true
158.69.222.101
 unknown Canada
16276 OVHFR true
104.251.214.46
 unknown United States
54540 INCERO-HVVCUS true

Private
IP
127.0.0.1