Windows Analysis Report
6xfFjxyRXf

Overview

General Information

Sample Name: 6xfFjxyRXf (renamed file extension from none to dll)
Analysis ID: 669376
MD5: f63300c5bbb25b90839996a6d1b8daf3
SHA1: 663b6080201bb8258c3a17b552094ae25d0ae9eb
SHA256: 9ba940714eb15665a5e28c43c1e4d1dee3f086d76c197015e0aa4b40b809ded0
Tags: 32dllexetrojan
Infos:

Detection

Emotet
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Registers a DLL
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6xfFjxyRXf.dll Virustotal: Detection: 69% Perma Link
Machine Learning detection for sample
Source: 6xfFjxyRXf.dll Joe Sandbox ML: detected
Source: 00000005.00000002.917270830.0000000002A49000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["184.134.163.2:1", "192.16.0.0:1472", "180.4.0.0:1", "148.4.0.0:1", "116.4.0.0:1", "160.4.0.0:1", "128.4.0.0:1", "164.4.0.0:1", "124.4.0.0:1", "176.4.0.0:1", "232.22.167.2:48", "144.23.167.2:48", "195.194.0.0:7080", "241.253.2.0:2848", "112.135.213.118:5", "235.253.2.0:2848", "255.255.255.255:3", "243.253.2.0:3908", "245.253.2.0:5388", "192.141.163.2:1", "249.253.2.0:2864", "28.188.226.4:4597", "255.178.3.0:1432", "208.146.163.2:1", "250.178.3.0:5056", "92.179.3.0:808", "24.149.166.2:1", "94.179.3.0:2448", "246.178.3.0:5208", "208.60.169.2:1", "136.86.171.2:1", "32.76.231.4:1"]}
Uses 32bit PE files
Source: 6xfFjxyRXf.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_10023806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_10023806

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 189.232.46.161 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 216.120.236.62 8080 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2404338 ET CNC Feodo Tracker Reported CnC Server TCP group 20 192.168.2.6:49844 -> 51.91.76.89:8080
Source: Traffic Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.6:49859 -> 119.193.124.41:7080
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 184.134.163.2:1
Source: Malware configuration extractor IPs: 192.16.0.0:1472
Source: Malware configuration extractor IPs: 180.4.0.0:1
Source: Malware configuration extractor IPs: 148.4.0.0:1
Source: Malware configuration extractor IPs: 116.4.0.0:1
Source: Malware configuration extractor IPs: 160.4.0.0:1
Source: Malware configuration extractor IPs: 128.4.0.0:1
Source: Malware configuration extractor IPs: 164.4.0.0:1
Source: Malware configuration extractor IPs: 124.4.0.0:1
Source: Malware configuration extractor IPs: 176.4.0.0:1
Source: Malware configuration extractor IPs: 232.22.167.2:48
Source: Malware configuration extractor IPs: 144.23.167.2:48
Source: Malware configuration extractor IPs: 195.194.0.0:7080
Source: Malware configuration extractor IPs: 241.253.2.0:2848
Source: Malware configuration extractor IPs: 112.135.213.118:5
Source: Malware configuration extractor IPs: 235.253.2.0:2848
Source: Malware configuration extractor IPs: 255.255.255.255:3
Source: Malware configuration extractor IPs: 243.253.2.0:3908
Source: Malware configuration extractor IPs: 245.253.2.0:5388
Source: Malware configuration extractor IPs: 192.141.163.2:1
Source: Malware configuration extractor IPs: 249.253.2.0:2864
Source: Malware configuration extractor IPs: 28.188.226.4:4597
Source: Malware configuration extractor IPs: 255.178.3.0:1432
Source: Malware configuration extractor IPs: 208.146.163.2:1
Source: Malware configuration extractor IPs: 250.178.3.0:5056
Source: Malware configuration extractor IPs: 92.179.3.0:808
Source: Malware configuration extractor IPs: 24.149.166.2:1
Source: Malware configuration extractor IPs: 94.179.3.0:2448
Source: Malware configuration extractor IPs: 246.178.3.0:5208
Source: Malware configuration extractor IPs: 208.60.169.2:1
Source: Malware configuration extractor IPs: 136.86.171.2:1
Source: Malware configuration extractor IPs: 32.76.231.4:1
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: Joe Sandbox View ASN Name: WOODYNET-2US WOODYNET-2US
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.182.25.250 217.182.25.250
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49773 -> 216.120.236.62:8080
Source: global traffic TCP traffic: 192.168.2.6:49844 -> 51.91.76.89:8080
Source: global traffic TCP traffic: 192.168.2.6:49855 -> 217.182.25.250:8080
Source: global traffic TCP traffic: 192.168.2.6:49859 -> 119.193.124.41:7080
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 17
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 216.120.236.62
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 189.232.46.161
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 51.91.76.89
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 217.182.25.250
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: unknown TCP traffic detected without corresponding DNS query: 119.193.124.41
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG", equals www.twitter.com (Twitter)
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.540396421.0000023F1436F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000000E.00000003.540373400.0000023F1435E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.540396421.0000023F1436F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2022-07-11T16:37:37.4991749Z||.||58dfb4d5-be7e-424e-8739-cac99224843f||1152921505695035586||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailab
Source: svchost.exe, 0000000E.00000002.584541505.0000023F14300000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.5.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://help.disneyplus.com.
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://disneyplus.com/legal.
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.hotspotshield.com/
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 0000000E.00000003.571353182.0000023F14388000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.hotspotshield.com/terms/
Source: svchost.exe, 0000000E.00000003.565704127.0000023F14819000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564883544.0000023F14388000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564185932.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.565394424.0000023F143AA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564280175.0000023F14802000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564163015.0000023F1439A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.564576094.0000023F14803000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.pango.co/privacy
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.416924605.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10020E85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 2_2_10020E85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10020E85 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 3_2_10020E85

E-Banking Fraud
barindex
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.4f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.46b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4f60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Uses 32bit PE files
Source: 6xfFjxyRXf.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\regsvr32.exe File deleted: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv:Zone.Identifier Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Windows\SysWOW64\Nrzawqzutwib\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10015257 2_2_10015257
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100115BC 2_2_100115BC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021F04 2_2_10021F04
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1000DF4C 2_2_1000DF4C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7E4B2 2_2_04F7E4B2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F785A7 2_2_04F785A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F69587 2_2_04F69587
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6E51F 2_2_04F6E51F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F656AD 2_2_04F656AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7202D 2_2_04F7202D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6C26D 2_2_04F6C26D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7FC6F 2_2_04F7FC6F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7DC5F 2_2_04F7DC5F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F66C5E 2_2_04F66C5E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F69DE0 2_2_04F69DE0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F73EE6 2_2_04F73EE6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F77EB9 2_2_04F77EB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F76F79 2_2_04F76F79
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F70F57 2_2_04F70F57
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6BB44 2_2_04F6BB44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F73B17 2_2_04F73B17
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F724F9 2_2_04F724F9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F654B9 2_2_04F654B9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7B45C 2_2_04F7B45C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6D5D6 2_2_04F6D5D6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F775AD 2_2_04F775AD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F80559 2_2_04F80559
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6A528 2_2_04F6A528
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F686ED 2_2_04F686ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7D6A7 2_2_04F7D6A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7169D 2_2_04F7169D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F75689 2_2_04F75689
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F74658 2_2_04F74658
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6260B 2_2_04F6260B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7F7FE 2_2_04F7F7FE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F637FA 2_2_04F637FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6A7C4 2_2_04F6A7C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F73711 2_2_04F73711
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7E71C 2_2_04F7E71C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6B704 2_2_04F6B704
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7A0F3 2_2_04F7A0F3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F760FA 2_2_04F760FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7B0A4 2_2_04F7B0A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F74093 2_2_04F74093
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7F05E 2_2_04F7F05E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F63023 2_2_04F63023
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7001B 2_2_04F7001B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F691D6 2_2_04F691D6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F701BF 2_2_04F701BF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7E10C 2_2_04F7E10C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F732C5 2_2_04F732C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F642B2 2_2_04F642B2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7C234 2_2_04F7C234
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6E214 2_2_04F6E214
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6A203 2_2_04F6A203
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F753D5 2_2_04F753D5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7630A 2_2_04F7630A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F71DCF 2_2_04F71DCF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7BDB0 2_2_04F7BDB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F68DA4 2_2_04F68DA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F65D99 2_2_04F65D99
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F78D6C 2_2_04F78D6C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F75D5E 2_2_04F75D5E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F61D5C 2_2_04F61D5C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F74D2B 2_2_04F74D2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F62EF6 2_2_04F62EF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6CED3 2_2_04F6CED3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F63FE5 2_2_04F63FE5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F78FB0 2_2_04F78FB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F72FB9 2_2_04F72FB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7FFAC 2_2_04F7FFAC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7BF4C 2_2_04F7BF4C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7D8FE 2_2_04F7D8FE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6D8E0 2_2_04F6D8E0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6F88D 2_2_04F6F88D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7481A 2_2_04F7481A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F759FA 2_2_04F759FA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6A9D2 2_2_04F6A9D2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F619C8 2_2_04F619C8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7E947 2_2_04F7E947
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6E942 2_2_04F6E942
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6593C 2_2_04F6593C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F77915 2_2_04F77915
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7BA7C 2_2_04F7BA7C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F64A11 2_2_04F64A11
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F7CBE5 2_2_04F7CBE5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F69BDE 2_2_04F69BDE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6FBDD 2_2_04F6FBDD
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6DB9B 2_2_04F6DB9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10015257 3_2_10015257
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100115BC 3_2_100115BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10021F04 3_2_10021F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000DF4C 3_2_1000DF4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3202D 3_2_00C3202D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2C26D 3_2_00C2C26D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C29587 3_2_00C29587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C385A7 3_2_00C385A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2E51F 3_2_00C2E51F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C256AD 3_2_00C256AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3DC5F 3_2_00C3DC5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C26C5E 3_2_00C26C5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C29DE0 3_2_00C29DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C33EE6 3_2_00C33EE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C37EB9 3_2_00C37EB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3A0F3 3_2_00C3A0F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C360FA 3_2_00C360FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C34093 3_2_00C34093
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3B0A4 3_2_00C3B0A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3F05E 3_2_00C3F05E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3001B 3_2_00C3001B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C23023 3_2_00C23023
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C291D6 3_2_00C291D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C301BF 3_2_00C301BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3E10C 3_2_00C3E10C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C332C5 3_2_00C332C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C242B2 3_2_00C242B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2A203 3_2_00C2A203
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2E214 3_2_00C2E214
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3C234 3_2_00C3C234
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C353D5 3_2_00C353D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3630A 3_2_00C3630A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C324F9 3_2_00C324F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3E4B2 3_2_00C3E4B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C254B9 3_2_00C254B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3B45C 3_2_00C3B45C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2D5D6 3_2_00C2D5D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C375AD 3_2_00C375AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C40559 3_2_00C40559
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2A528 3_2_00C2A528
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C286ED 3_2_00C286ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C35689 3_2_00C35689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3169D 3_2_00C3169D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3D6A7 3_2_00C3D6A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C34658 3_2_00C34658
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2260B 3_2_00C2260B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2A7C4 3_2_00C2A7C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C237FA 3_2_00C237FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3F7FE 3_2_00C3F7FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2B704 3_2_00C2B704
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C33711 3_2_00C33711
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3E71C 3_2_00C3E71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2D8E0 3_2_00C2D8E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3D8FE 3_2_00C3D8FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2F88D 3_2_00C2F88D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3481A 3_2_00C3481A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C219C8 3_2_00C219C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2A9D2 3_2_00C2A9D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C359FA 3_2_00C359FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2E942 3_2_00C2E942
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3E947 3_2_00C3E947
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C37915 3_2_00C37915
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2593C 3_2_00C2593C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3BA7C 3_2_00C3BA7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C24A11 3_2_00C24A11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C29BDE 3_2_00C29BDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2FBDD 3_2_00C2FBDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3CBE5 3_2_00C3CBE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2DB9B 3_2_00C2DB9B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2BB44 3_2_00C2BB44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C33B17 3_2_00C33B17
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3FC6F 3_2_00C3FC6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C31DCF 3_2_00C31DCF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C25D99 3_2_00C25D99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C28DA4 3_2_00C28DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3BDB0 3_2_00C3BDB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C35D5E 3_2_00C35D5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C21D5C 3_2_00C21D5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C38D6C 3_2_00C38D6C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C34D2B 3_2_00C34D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2CED3 3_2_00C2CED3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C22EF6 3_2_00C22EF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C23FE5 3_2_00C23FE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3FFAC 3_2_00C3FFAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C38FB0 3_2_00C38FB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C32FB9 3_2_00C32FB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C3BF4C 3_2_00C3BF4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C30F57 3_2_00C30F57
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C36F79 3_2_00C36F79
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10012CE0 appears 48 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10011A8C appears 120 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 10023100 appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10012CE0 appears 48 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10011A8C appears 120 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10023100 appears 31 times
Sample file is different than original file name gathered from version info
Source: 6xfFjxyRXf.dll Binary or memory string: OriginalFilenameProcess Viewer.exe vs 6xfFjxyRXf.dll
PE file contains strange resources
Source: 6xfFjxyRXf.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: 6xfFjxyRXf.dll Virustotal: Detection: 69%
Source: 6xfFjxyRXf.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6xfFjxyRXf.dll,DllUnregisterServerrrrrrrrrrrr Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe /s "C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv" Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal92.troj.evad.winDLL@18/2@0/37
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10006650 CreateToolhelp32Snapshot,Process32First,SendMessageA,SendMessageA,SendMessageA,OpenProcess,TerminateProcess,CloseHandle,SendMessageA,SendMessageA,Process32Next,CloseHandle,Sleep, 2_2_10006650
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10005FD0 LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,memcpy,malloc,??3@YAXPAX@Z, 2_2_10005FD0
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 6xfFjxyRXf.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 6xfFjxyRXf.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 6xfFjxyRXf.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 6xfFjxyRXf.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 6xfFjxyRXf.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100116D0 push eax; ret 2_2_100116E4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100116D0 push eax; ret 2_2_1001170C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10011A8C push eax; ret 2_2_10011AAA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10012D1B push ecx; ret 2_2_10012D2B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F6179E push ds; retf 2_2_04F6179F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_04F610BB push ebx; ret 2_2_04F610C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100116D0 push eax; ret 3_2_100116E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100116D0 push eax; ret 3_2_1001170C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10011A8C push eax; ret 3_2_10011AAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10012D1B push ecx; ret 3_2_10012D2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C210BB push ebx; ret 3_2_00C210C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00C2179E push ds; retf 3_2_00C2179F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021590 LoadLibraryA,GetProcAddress,FreeLibrary, 2_2_10021590
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\6xfFjxyRXf.dll
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\regsvr32.exe PE file moved: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\regsvr32.exe File opened: C:\Windows\SysWOW64\Nrzawqzutwib\qenu.dlv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ydixzzwmsfkx\nuzdumx.iuq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hzzrgo\lwtswlxa.yeh:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10008124 IsIconic,GetWindowPlacement,GetWindowRect, 2_2_10008124
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10005B60 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 2_2_10005B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10008124 IsIconic,GetWindowPlacement,GetWindowRect, 3_2_10008124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10005B60 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon, 3_2_10005B60
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 6220 Thread sleep time: -60000s >= -30000s Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 3.6 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.6 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_100114D8 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect, 2_2_100114D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 2_2_10023806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10023806 __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA, 3_2_10023806
Source: C:\Windows\SysWOW64\regsvr32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\regsvr32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 0000000B.00000002.917163561.00000262FC402000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 0000000E.00000002.584271882.0000023F13AE8000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.583807616.0000023F13A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.583910159.0000023F13A88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.917233832.00000262FC428000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10021590 LoadLibraryA,GetProcAddress,FreeLibrary, 2_2_10021590
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10004BB0 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,memcpy, 2_2_10004BB0
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10018246 SetUnhandledExceptionFilter, 2_2_10018246
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001825A SetUnhandledExceptionFilter, 2_2_1001825A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10018246 SetUnhandledExceptionFilter, 3_2_10018246
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1001825A SetUnhandledExceptionFilter, 3_2_1001825A

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 217.182.25.250 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 51.91.76.89 8080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 189.232.46.161 443 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 119.193.124.41 7080 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 216.120.236.62 8080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6xfFjxyRXf.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 2_2_100268C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA, 2_2_10019AB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 2_2_10006D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyA,LoadLibraryA,GetLocaleInfoA, 3_2_100268C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_10019AB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetThreadLocale,GetLocaleInfoA,GetACP, 3_2_10006D70
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1001712C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 2_2_1001712C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_10019164 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy, 2_2_10019164
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_1002871E GetVersion,LoadCursorA,LoadCursorA,LoadCursorA, 2_2_1002871E

Stealing of Sensitive Information
barindex
Yara detected Emotet
Source: Yara match File source: 2.2.regsvr32.exe.4f00000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4680000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.46b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.4480000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4f00000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4680000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.c20000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.2b50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.bf0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.regsvr32.exe.4f60000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.regsvr32.exe.2b50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.406595295.0000000000BF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.406684150.0000000000C21000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.415134102.0000000004F61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.917544011.0000000002B50000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406621589.00000000046B1000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.917618972.0000000004481000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.414918130.0000000004F00000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.406594585.0000000004680000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 669376 Sample: 6xfFjxyRXf Startdate: 20/07/2022 Architecture: WINDOWS Score: 92 31 160.4.0.0 WOODYNET-2US New Zealand 2->31 33 92.179.3.0 UNI2-ASES France 2->33 35 29 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected Emotet 2->49 51 2 other signatures 2->51 8 loaddll32.exe 1 2->8         started        10 svchost.exe 2->10         started        12 svchost.exe 1 2->12         started        14 3 other processes 2->14 signatures3 process4 process5 16 regsvr32.exe 5 8->16         started        19 cmd.exe 1 8->19         started        21 rundll32.exe 2 8->21         started        23 rundll32.exe 8->23         started        signatures6 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->43 25 regsvr32.exe 16->25         started        29 rundll32.exe 2 19->29         started        process7 dnsIp8 37 189.232.46.161, 443, 49803 UninetSAdeCVMX Mexico 25->37 39 217.182.25.250, 49855, 8080 OVHFR France 25->39 41 4 other IPs or domains 25->41 53 System process connects to network (likely due to code injection or exploit) 25->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->55 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
217.182.25.250
 unknown France
16276 OVHFR true
160.4.0.0
 unknown New Zealand
715 WOODYNET-2US true
180.4.0.0
 unknown Japan 4713 OCNNTTCommunicationsCorporationJP true
235.253.2.0
 unknown Reserved
unknown unknown true
249.253.2.0
 unknown Reserved
unknown unknown true
32.76.231.4
 unknown United States
2686 ATGS-MMD-ASUS true
246.178.3.0
 unknown Reserved
unknown unknown true
184.134.163.2
 unknown United States
5778 CENTURYLINK-LEGACY-EMBARQ-RCMTUS true
136.86.171.2
 unknown United States
60311 ONEFMCH true
208.146.163.2
 unknown United States
3561 CENTURYLINK-LEGACY-SAVVISUS true
116.4.0.0
 unknown China
4134 CHINANET-BACKBONENo31Jin-rongStreetCN true
92.179.3.0
 unknown France
12479 UNI2-ASES true
189.232.46.161
 unknown Mexico
8151 UninetSAdeCVMX true
245.253.2.0
 unknown Reserved
unknown unknown true
148.4.0.0
 unknown United States
6074 LIUNETUS true
94.179.3.0
 unknown Ukraine
6849 UKRTELNETUA true
192.16.0.0
 unknown United States
14153 EDGECAST-IRUS true
208.60.169.2
 unknown United States
6389 BELLSOUTH-NET-BLKUS true
176.4.0.0
 unknown Germany
12638 AS12638DuesseldorfDE true
128.4.0.0
 unknown United States
2 UDEL-DCNUS true
243.253.2.0
 unknown Reserved
unknown unknown true
232.22.167.2
 unknown Reserved
unknown unknown true
195.194.0.0
 unknown United Kingdom
786 JANETJiscServicesLimitedGB true
241.253.2.0
 unknown Reserved
unknown unknown true
144.23.167.2
 unknown Costa Rica
64102 OracleCorporationCR true
255.178.3.0
 unknown Reserved
unknown unknown true
51.91.76.89
 unknown France
16276 OVHFR true
24.149.166.2
 unknown United States
11025 COMCAST-HOUSTONUS true
28.188.226.4
 unknown United States
7922 COMCAST-7922US true
124.4.0.0
 unknown India
18302 SKG_NW-AS-KRSKTelecomKR true
164.4.0.0
 unknown Sweden
44013 SANDVIK-ASSE true
250.178.3.0
 unknown Reserved
unknown unknown true
119.193.124.41
 unknown Korea Republic of
4766 KIXS-AS-KRKoreaTelecomKR true
216.120.236.62
 unknown United States
23535 HOSTROCKETUS true
112.135.213.118
 unknown Sri Lanka
9329 SLTINT-AS-APSriLankaTelecomInternetLK true
192.141.163.2
 unknown Brazil
267489 NEOVEXCOMERCIOESERVICOSDETELECOMUNICACOESBR true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
c-0001.c-msedge.net 13.107.4.50 true