Windows Analysis Report
xhOJLzQSe7

Overview

General Information

Sample Name: xhOJLzQSe7 (renamed file extension from none to dll)
Analysis ID: 669375
MD5: 2408e1b795944eabc7f184c634b0ed81
SHA1: 01f644589eebee027396cc2bc925c07f1dfbd573
SHA256: 81875fefda81b8cfa1ab74dfac14d608d01c2cd9f94abb232e2c6c91a63b3682
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: xhOJLzQSe7.dll Virustotal: Detection: 69% Perma Link
Antivirus / Scanner detection for submitted sample
Source: xhOJLzQSe7.dll Avira: detected
Antivirus detection for URL or domain
Source: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq Avira URL Cloud: Label: malware
Source: https://70.36.102.35/ Avira URL Cloud: Label: malware
Source: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwq Avira URL Cloud: Label: malware
Source: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjw Avira URL Cloud: Label: malware
Source: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9 Avira URL Cloud: Label: malware
Source: https://51.91.76.89/ Avira URL Cloud: Label: malware
Source: https://70.36.102.35/Default Avira URL Cloud: Label: malware
Source: 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["136.31.0.0:102", "144.42.251.111:1", "72.67.111.110:3", "255.255.255.255:3", "128.63.180.0:2", "65.83.89.67:68", "64.56.248.2:2", "200.220.252.2:32", "192.153.248.2:48", "1.255.0.0:929", "176.200.250.2:32", "120.16.251.2:48", "26.189.253.2:94", "192.168.2.5:2", "171.213.29.176:4", "212.253.246.49:4", "10.181.2.0:5500", "248.153.248.2:1", "120.4.0.0:1", "252.180.2.0:5516", "168.18.251.2:1", "14.181.2.0:5168", "96.15.251.2:1", "17.181.2.0:5484", "224.18.251.2:1", "23.181.2.0:2584", "48.13.251.2:1", "96.234.0.0:443", "32.17.251.2:1"]}
Uses 32bit PE files
Source: xhOJLzQSe7.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10011C86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10011C86

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 70.36.102.35 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 92.240.254.110 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.5:49816 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.5:49827 -> 119.193.124.41:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 136.31.0.0:102
Source: Malware configuration extractor IPs: 144.42.251.111:1
Source: Malware configuration extractor IPs: 72.67.111.110:3
Source: Malware configuration extractor IPs: 255.255.255.255:3
Source: Malware configuration extractor IPs: 128.63.180.0:2
Source: Malware configuration extractor IPs: 65.83.89.67:68
Source: Malware configuration extractor IPs: 64.56.248.2:2
Source: Malware configuration extractor IPs: 200.220.252.2:32
Source: Malware configuration extractor IPs: 192.153.248.2:48
Source: Malware configuration extractor IPs: 1.255.0.0:929
Source: Malware configuration extractor IPs: 176.200.250.2:32
Source: Malware configuration extractor IPs: 120.16.251.2:48
Source: Malware configuration extractor IPs: 26.189.253.2:94
Source: Malware configuration extractor IPs: 192.168.2.5:2
Source: Malware configuration extractor IPs: 171.213.29.176:4
Source: Malware configuration extractor IPs: 212.253.246.49:4
Source: Malware configuration extractor IPs: 10.181.2.0:5500
Source: Malware configuration extractor IPs: 248.153.248.2:1
Source: Malware configuration extractor IPs: 120.4.0.0:1
Source: Malware configuration extractor IPs: 252.180.2.0:5516
Source: Malware configuration extractor IPs: 168.18.251.2:1
Source: Malware configuration extractor IPs: 14.181.2.0:5168
Source: Malware configuration extractor IPs: 96.15.251.2:1
Source: Malware configuration extractor IPs: 17.181.2.0:5484
Source: Malware configuration extractor IPs: 224.18.251.2:1
Source: Malware configuration extractor IPs: 23.181.2.0:2584
Source: Malware configuration extractor IPs: 48.13.251.2:1
Source: Malware configuration extractor IPs: 96.234.0.0:443
Source: Malware configuration extractor IPs: 32.17.251.2:1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: PERFECT-INTERNATIONALUS PERFECT-INTERNATIONALUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.182.25.250 217.182.25.250
Source: Joe Sandbox View IP Address: 70.36.102.35 70.36.102.35
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49769 -> 92.240.254.110:8080
Source: global traffic TCP traffic: 192.168.2.5:49816 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.5:49822 -> 217.182.25.250:8080
Source: global traffic TCP traffic: 192.168.2.5:49827 -> 119.193.124.41:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 13
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 70.36.102.35
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 92.240.254.110
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.748444416.0000020F4E382000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 00000015.00000003.748420075.0000020F4E371000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.748444416.0000020F4E382000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840968249.00000257CCC64000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799630816.0000020F4E300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.840794935.00000257CCC14000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799488078.0000020F4DAE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000006.00000003.564381173.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972607400.0000000002FD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab.
Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41/
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb
Source: regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb#T
Source: regsvr32.exe, 00000006.00000002.972295392.0000000002F3A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPb1T
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://119.193.124.41:7080/yNzUEhYRmfobVpbnIjDAnFfZFoBrGzwALuEiEPbV
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250/
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250/6
Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR
Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://217.182.25.250:8080/wyXUykQBFXLgUDhBPADNipDGWMKugALsfbonBqKseR9
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89/
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq
Source: regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://51.91.76.89:8080/wILlkzMrsIIqrWuKTJoVXizoHkadIszFHcIlGojhnBcDobePKzyquq9
Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.506733124.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://70.36.102.35/
Source: regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://70.36.102.35/Default
Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjw
Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://70.36.102.35/lKdeDesHKlwQRuBQoJMtzzkSkkKhWjwq
Source: regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110/
Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110/t
Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110:8080/
Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV
Source: regsvr32.exe, 00000006.00000002.972587978.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564257822.0000000002FC7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110:8080/OozwNWoXrNLqNNtlQCBStrfsHlZQDyVVCeVUrhuzIDQnbSNZedOwyJtV6
Source: regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://92.240.254.110:8080/i
Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000015.00000003.767387577.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.767327941.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 00000015.00000003.764113869.0000020F4E378000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762818013.0000020F4E3A9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762692728.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762844012.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.762785842.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.764136260.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Source: svchost.exe, 00000015.00000003.771381314.0000020F4E802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771276935.0000020F4E3AE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771350523.0000020F4E37B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000003.771307358.0000020F4E398000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.466537071.000000000097B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_1000ACED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000ACED GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_1000ACED

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.c00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: xhOJLzQSe7.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021091 2_2_10021091
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030140 2_2_10030140
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022164 2_2_10022164
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020220 2_2_10020220
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002D49C 2_2_1002D49C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10024556 2_2_10024556
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021564 2_2_10021564
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000C578 2_2_1000C578
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030682 2_2_10030682
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021938 2_2_10021938
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10028B9A 2_2_10028B9A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002FBFE 2_2_1002FBFE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10026C81 2_2_10026C81
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10030D46 2_2_10030D46
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021D44 2_2_10021D44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10031E11 2_2_10031E11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021091 3_2_10021091
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030140 3_2_10030140
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022164 3_2_10022164
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020220 3_2_10020220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002D49C 3_2_1002D49C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024556 3_2_10024556
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021564 3_2_10021564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C578 3_2_1000C578
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030682 3_2_10030682
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021938 3_2_10021938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10028B9A 3_2_10028B9A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002FBFE 3_2_1002FBFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10026C81 3_2_10026C81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10030D46 3_2_10030D46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021D44 3_2_10021D44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10031E11 3_2_10031E11
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001FBC4 appears 143 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 1001FBF7 appears 39 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10022714 appears 51 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10004D7A appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001FBC4 appears 143 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1001FBF7 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10022714 appears 51 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10004D7A appears 33 times
Sample file is different than original file name gathered from version info
Source: xhOJLzQSe7.dll Binary or memory string: OriginalFilenameBaseDLG_MFC.EXEN vs xhOJLzQSe7.dll
PE file contains strange resources
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: xhOJLzQSe7.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: xhOJLzQSe7.dll Virustotal: Detection: 69%
Source: xhOJLzQSe7.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\xhOJLzQSe7.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winDLL@17/5@0/35
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100042F6 GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,FindResourceW,LoadResource,SizeofResource,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAllocExNuma,GetCurrencyFormatW,GetCurrencyFormatW,GetCurrencyFormatW,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z,_printf, 2_2_100042F6
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: xhOJLzQSe7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: xhOJLzQSe7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: xhOJLzQSe7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: xhOJLzQSe7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: xhOJLzQSe7.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10022759 push ecx; ret 2_2_1002276C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FC9C push ecx; ret 2_2_1001FCAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10022759 push ecx; ret 3_2_1002276C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FC9C push ecx; ret 3_2_1001FCAF
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002C912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1002C912
PE file contains an invalid checksum
Source: xhOJLzQSe7.dll Static PE information: real checksum: 0xa0f94 should be: 0xa1c03
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\xhOJLzQSe7.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Smcoeugpjqpltwaq\padmvjcc.wwg:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xzqbzebvc\likpmyarcnrmr.nnt:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Peztz\yraxpwfxlfeitn.uit:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_100084E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_100037A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100084E6 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_100084E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100037A6 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_100037A6
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 7148 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5944 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6352 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 2_2_10011C86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011C86 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 3_2_10011C86
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000002.840968249.00000257CCC64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: "@Hyper-V RAW
Source: svchost.exe, 00000015.00000002.799503325.0000020F4DAF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @Hyper-V RAW
Source: regsvr32.exe, 00000006.00000003.506754073.0000000002FAA000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552349353.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.972404800.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.564199843.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.506733124.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552388525.0000000002F92000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.552291019.0000000002F88000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840188612.00000257C742A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.840947326.00000257CCC58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.799200631.0000020F4DA85000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000C.00000002.972147470.000001A5AC602000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000C.00000002.972252494.000001A5AC628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001FBB5
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002C912 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer, 2_2_1002C912
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100206F8 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100206F8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_1001FBB5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_1002ACAB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_10024E50
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer, 2_2_10027FD8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter, 2_2_10027FFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001FBB5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_1001FBB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1002ACAB __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_1002ACAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10024E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_10024E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027FD8 SetUnhandledExceptionFilter,__encode_pointer, 3_2_10027FD8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10027FFA __decode_pointer,SetUnhandledExceptionFilter, 3_2_10027FFA

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 70.36.102.35 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 92.240.254.110 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\xhOJLzQSe7.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_1002E7D0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10032820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 2_2_10005CE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_1002E7D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10032820
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA, 3_2_10005CE3
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002DE74 cpuid 2_2_1002DE74
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10027ED8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_10027ED8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002C0EA __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson, 2_2_1002C0EA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100206F8 GetProcessHeap,GetProcessHeap,HeapAlloc,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__ioinit,__mtterm,__setargv,__setenvp,__cinit,__ioterm,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__calloc_crt,__decode_pointer,__initptd,GetCurrentThreadId,__freeptd, 2_2_100206F8

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 3.2.rundll32.exe.bb0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bb0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3280000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2e00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3250000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.43f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3250000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2e00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.c00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.c10000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.972201454.0000000002F01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.471795717.00000000043F1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.465962452.0000000000C01000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466876693.0000000003250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.471763679.0000000000C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.465829043.0000000000BB0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.466979688.0000000003281000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.972129886.0000000002E00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669375 Sample: xhOJLzQSe7 Startdate: 20/07/2022 Architecture: WINDOWS Score: 100 30 136.31.0.0 WEBPASSUS United States 2->30 32 120.16.251.2 VODAFONE-AS-APVodafoneAustraliaPtyLtdAU Australia 2->32 34 26 other IPs or domains 2->34 48 Snort IDS alert for network traffic 2->48 50 Antivirus detection for URL or domain 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 3 other signatures 2->54 8 loaddll32.exe 1 2->8         started        10 svchost.exe 9 1 2->10         started        13 svchost.exe 2->13         started        15 4 other processes 2->15 signatures3 process4 dnsIp5 17 regsvr32.exe 5 8->17         started        20 cmd.exe 1 8->20         started        22 rundll32.exe 2 8->22         started        42 127.0.0.1 unknown unknown 10->42 44 192.168.2.1 unknown unknown 13->44 process6 signatures7 46 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->46 24 regsvr32.exe 17->24         started        28 rundll32.exe 2 20->28         started        process8 dnsIp9 36 70.36.102.35, 443, 49766, 49767 PERFECT-INTERNATIONALUS United States 24->36 38 217.182.25.250, 49822, 8080 OVHFR France 24->38 40 3 other IPs or domains 24->40 56 System process connects to network (likely due to code injection or exploit) 24->56 58 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->58 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.182.25.250
 unknown France
16276 OVHFR true
70.36.102.35
 unknown United States
22439 PERFECT-INTERNATIONALUS true
120.4.0.0
 unknown China
4837 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN true
17.181.2.0
 unknown United States
714 APPLE-ENGINEERINGUS false
200.220.252.2
 unknown Brazil
26599 TELEFONICABRASILSABR true
168.18.251.2
 unknown United States
3479 PEACHNET-AS1US true
48.13.251.2
 unknown United States
2686 ATGS-MMD-ASUS true
120.16.251.2
 unknown Australia
133612 VODAFONE-AS-APVodafoneAustraliaPtyLtdAU true
23.181.2.0
 unknown Reserved
23473 PAVLOVMEDIAUS true
192.153.248.2
 unknown United States
2562 TI-USINTLUS true
252.180.2.0
 unknown Reserved
unknown unknown true
128.63.180.0
 unknown United States
13 DNIC-AS-00013US true
1.255.0.0
 unknown Korea Republic of
9318 SKB-ASSKBroadbandCoLtdKR true
136.31.0.0
 unknown United States
19165 WEBPASSUS true
32.17.251.2
 unknown United States
2686 ATGS-MMD-ASUS true
65.83.89.67
 unknown United States
6389 BELLSOUTH-NET-BLKUS true
64.56.248.2
 unknown Canada
6407 PRIMUS-AS6407CA true
224.18.251.2
 unknown Reserved
unknown unknown true
96.15.251.2
 unknown United States
22394 CELLCOUS true
51.91.76.89
 unknown France
16276 OVHFR true
212.253.246.49
 unknown Turkey
34984 TELLCOM-ASTR true
171.213.29.176
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
248.153.248.2
 unknown Reserved
unknown unknown true
14.181.2.0
 unknown Viet Nam
45899 VNPT-AS-VNVNPTCorpVN true
144.42.251.111
 unknown United States
27402 IBC-N1US true
72.67.111.110
 unknown United States
5650 FRONTIER-FRTRUS true
26.189.253.2
 unknown United States
7922 COMCAST-7922US true
96.234.0.0
 unknown United States
701 UUNETUS true
119.193.124.41
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
92.240.254.110
 unknown Slovakia (SLOVAK Republic)
42005 LIGHTSTORM-COMMUNICATIONS-SRO-SK-ASPeeringsSK true
176.200.250.2
 unknown Italy
16232 ASN-TIMServiceProviderIT true

Private

IP
192.168.2.1
192.168.2.5
10.181.2.0
127.0.0.1