Windows Analysis Report
5iiXyNVCQ3

Overview

General Information

Sample Name: 5iiXyNVCQ3 (renamed file extension from none to dll)
Analysis ID: 736960
MD5: 73c06c75bd9aa0a194b0dc73ab38cac5
SHA1: 7604d4be31e6c017e3bd9a1e5590a81a7aafb40f
SHA256: fde687287ef8cd7e6a6ce655355eaca2fba25fd6c22cc1e4040281f73205ba90
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionality to inject code into remote processes
Machine Learning detection for dropped file
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Potential key logger detected (key state polling based)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 5iiXyNVCQ3.dll Virustotal: Detection: 92% Perma Link
Source: 5iiXyNVCQ3.dll ReversingLabs: Detection: 95%
Source: 5iiXyNVCQ3.dll Metadefender: Detection: 80% Perma Link
Antivirus / Scanner detection for submitted sample
Source: 5iiXyNVCQ3.dll Avira: detected
Multi AV Scanner detection for domain / URL
Source: 52eva.top Virustotal: Detection: 6% Perma Link
Antivirus detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dll Avira: detection malicious, Label: HEUR/AGEN.1238485
Multi AV Scanner detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dll ReversingLabs: Detection: 95%
Source: C:\Program Files\WinRAP\RarExt32.dll Virustotal: Detection: 92% Perma Link
Source: C:\Program Files\WinRAP\RarExt32.dll Metadefender: Detection: 80% Perma Link
Machine Learning detection for sample
Source: 5iiXyNVCQ3.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Program Files\WinRAP\RarExt32.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.loaddll32.exe.bd4498.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.4.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.2.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.1.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 7.3.svchost.exe.e56000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.3.loaddll32.exe.280e2dd.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.2.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.280e2dd.1.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.475e2dd.4.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.1000e2dd.1.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.f1fe88.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.475e2dd.1.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.3.rundll32.exe.475e2dd.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.2.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 7.3.svchost.exe.eab008.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.aee2dd.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.1000e2dd.5.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.3.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.1000e2dd.5.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.0.rundll32.exe.f1fe88.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.bd4498.3.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.2.loaddll32.exe.1000e2dd.2.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 4.2.rundll32.exe.aee2dd.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 3.2.rundll32.exe.1000e2dd.2.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 0.0.loaddll32.exe.280e2dd.1.unpack Avira: Label: TR/Crypt.NSPM.Gen
Source: 4.3.rundll32.exe.68ffa0.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.loaddll32.exe.bd4498.0.unpack Avira: Label: TR/Crypt.NSPM.Gen
Uses 32bit PE files
Source: 5iiXyNVCQ3.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\WinRAP Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\WinRAP\RarExt32.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00483CEE __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy, 7_2_00483CEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041EED0 FindFirstFileA,FindClose, 7_2_0041EED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040F300 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 7_2_0040F300
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417FF0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 7_2_00417FF0
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1000300A
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_1000300A
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_1000300A
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-30h], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10001027
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10002D31
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10002D31
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10002D31
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10003356
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_100013D3
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_100013D3
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_100013D3
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_100013D3
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10004606
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10004610
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1000461A
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_10004624
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_1000462E
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_1000283C
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10005E5F
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10006272
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10006272
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000667B
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_1000667B
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_10008C8B
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_10008C8B
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100068F2
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10005F47
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_10005F47
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 0_2_10001F4E
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_1000676C
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10005D6F
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_10005D6F
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10007779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 0_2_10008779
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_10006984
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_10007FBF
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_100065CF
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_100061D0
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_100061D0
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 0_2_100045FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 3_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-30h], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_10001027
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_10004606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_10004610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_1000461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_10004624
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_1000462E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 3_2_1000283C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 3_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 3_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_100068F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 3_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 3_2_10001F4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_1000676C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 3_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10007779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 3_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_10006984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_10007FBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 3_2_100065CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 3_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 3_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 3_2_100045FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 4_2_1000300A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-30h], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_10001027
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_10005E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10002D31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-3Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-50h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-64h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-40h], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_100013D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_10004606
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_10004610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_1000461A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_10004624
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_1000462E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 4_2_1000283C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10006272
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_1000667B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 4_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 4_2_10008C8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_100068F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 4_2_10005F47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-28h], esp 4_2_10001F4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_1000676C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 4_2_10005D6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10007779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-38h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-34h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-24h], esp 4_2_10008779
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_10006984
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_10007FBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 4_2_100065CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 4_2_100061D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-2Ch], esp 4_2_10007FFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4x nop then cmp dword ptr [ebp-4Ch], esp 4_2_100045FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then push esi 7_2_0046D431
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then push esi 7_2_00433CB2

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 208.100.26.242 5658 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: 52eva.top
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2023883 ET DNS Query to a *.top domain - Likely Hostile 192.168.2.4:56572 -> 8.8.8.8:53
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: STEADFASTUS STEADFASTUS
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.100.26.242 208.100.26.242
Source: Joe Sandbox View IP Address: 208.100.26.242 208.100.26.242
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49695 -> 208.100.26.242:5658
Source: unknown DNS traffic detected: queries for: 52eva.top
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040741D WSARecv, 7_2_0040741D
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004330C0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalFix,GlobalUnWire,CloseClipboard, 7_2_004330C0
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0048837D GetKeyState,GetKeyState,GetKeyState,GetKeyState, 7_2_0048837D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00486887 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 7_2_00486887
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041F080 GetKeyState,GetKeyState,GetKeyState,GetKeyState, 7_2_0041F080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004317C0 GetKeyState,GetKeyState,GetKeyState,CopyRect, 7_2_004317C0
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00432F60 GlobalAlloc,GlobalFix,GlobalUnWire,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard, 7_2_00432F60

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.rundll32.exe.475e2dd.4.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.rundll32.exe.1000e2dd.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.3.loaddll32.exe.280e2dd.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.280e2dd.4.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.1000e2dd.5.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.3.rundll32.exe.475e2dd.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.3.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.0.rundll32.exe.1000e2dd.5.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 3.2.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 4.2.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Uses 32bit PE files
Source: 5iiXyNVCQ3.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Yara signature match
Source: 3.0.rundll32.exe.475e2dd.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.rundll32.exe.1000e2dd.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.3.loaddll32.exe.280e2dd.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.280e2dd.4.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.1000e2dd.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.475e2dd.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.3.rundll32.exe.475e2dd.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.3.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.0.rundll32.exe.1000e2dd.5.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 3.2.rundll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 4.2.rundll32.exe.aee2dd.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.loaddll32.exe.1000e2dd.2.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.loaddll32.exe.280e2dd.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
One or more processes crash
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
Detected potential crypto function
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00418600 7_2_00418600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00468080 7_2_00468080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004520B0 7_2_004520B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044A170 7_2_0044A170
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004661F0 7_2_004661F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0045E260 7_2_0045E260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00428220 7_2_00428220
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004642C0 7_2_004642C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00450350 7_2_00450350
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416460 7_2_00416460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004684F0 7_2_004684F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004645F0 7_2_004645F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00452580 7_2_00452580
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044E700 7_2_0044E700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004527B0 7_2_004527B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00466800 7_2_00466800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004588D0 7_2_004588D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00440AB0 7_2_00440AB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00464BF0 7_2_00464BF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00450B90 7_2_00450B90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00466C7E 7_2_00466C7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00458D70 7_2_00458D70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00494D1E 7_2_00494D1E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00440DE0 7_2_00440DE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00466ECE 7_2_00466ECE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044EED0 7_2_0044EED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00468E90 7_2_00468E90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00478F66 7_2_00478F66
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00440F70 7_2_00440F70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00465040 7_2_00465040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004510A9 7_2_004510A9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00463130 7_2_00463130
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004431DB 7_2_004431DB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004531F0 7_2_004531F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00421320 7_2_00421320
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004453E0 7_2_004453E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0047D40C 7_2_0047D40C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043D4F0 7_2_0043D4F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00451566 7_2_00451566
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00461560 7_2_00461560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00467500 7_2_00467500
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044350D 7_2_0044350D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0043B590 7_2_0043B590
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041F740 7_2_0041F740
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044D700 7_2_0044D700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0045D7C0 7_2_0045D7C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004577A0 7_2_004577A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00451851 7_2_00451851
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0045F9D0 7_2_0045F9D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00443A72 7_2_00443A72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00451A04 7_2_00451A04
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00419AE0 7_2_00419AE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00485B2B 7_2_00485B2B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0044DC40 7_2_0044DC40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00465C70 7_2_00465C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00451C7E 7_2_00451C7E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00457C1E 7_2_00457C1E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0042DC80 7_2_0042DC80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00457E6E 7_2_00457E6E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00471EB0 7_2_00471EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00449F00 7_2_00449F00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00443FD0 7_2_00443FD0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00473304 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004719EB appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00449940 appears 77 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00484BEB appears 44 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004496C0 appears 39 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00449530 appears 85 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 1000B390 appears 37 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1000B390 appears 74 times
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory, 0_2_10001817
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,LocalSize,LocalSize,RtlMoveMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory, 3_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,LocalSize,WaitForSingleObject,CloseHandle,CloseHandle, 3_2_10003356
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001817 GetModuleHandleA,NtAllocateVirtualMemory,NtReadVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory,NtAllocateVirtualMemory,NtFreeVirtualMemory,NtFreeVirtualMemory, 4_2_10001817
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,LocalSize,WaitForSingleObject,CloseHandle,CloseHandle, 4_2_10003356
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00484D30 NtdllDefWindowProc_A, 7_2_00484D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040347E NtQueryInformationProcess,NtReadVirtualMemory,NtReadVirtualMemory,NtReadVirtualMemory, 7_2_0040347E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0048551D NtdllDefWindowProc_A,CallWindowProcA, 7_2_0048551D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004870D1 NtdllDefWindowProc_A, 7_2_004870D1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004858C5 wsprintfA,wsprintfA,GetClassInfoA,NtdllDefWindowProc_A, 7_2_004858C5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004858B5 wsprintfA,GetClassInfoA,NtdllDefWindowProc_A, 7_2_004858B5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041FD80 GetClassInfoA,NtdllDefWindowProc_A, 7_2_0041FD80
Source: 5iiXyNVCQ3.dll Static PE information: Section: .nsp1 ZLIB complexity 0.9981345387972548
Source: RarExt32.dll.3.dr Static PE information: Section: .nsp1 ZLIB complexity 0.9981345387972548
Source: 5iiXyNVCQ3.dll Virustotal: Detection: 92%
Source: 5iiXyNVCQ3.dll ReversingLabs: Detection: 95%
Source: 5iiXyNVCQ3.dll Metadefender: Detection: 80%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 616
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 844
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER806D.tmp Jump to behavior
Source: classification engine Classification label: mal100.evad.winDLL@16/9@1/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10007FFC CreateToolhelp32Snapshot,CloseHandle, 0_2_10007FFC
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5iiXyNVCQ3.dll,unll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess964
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3144
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\USERNAME
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00484376 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow, 7_2_00484376
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files\WinRAP Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\svchost.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\WinRAP Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Directory created: C:\Program Files\WinRAP\RarExt32.dll Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_1000C650 push eax; ret 0_2_1000C67E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_1000C650 push eax; ret 3_2_1000C67E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_1000C650 push eax; ret 4_2_1000C67E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00492584 pushad ; ret 7_2_00492585
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00473304 push eax; ret 7_2_00473322
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00471390 push eax; ret 7_2_004713BE
PE file contains sections with non-standard names
Source: 5iiXyNVCQ3.dll Static PE information: section name: .nsp0
Source: 5iiXyNVCQ3.dll Static PE information: section name: .nsp1
Source: 5iiXyNVCQ3.dll Static PE information: section name: .nsp2
Source: RarExt32.dll.3.dr Static PE information: section name: .nsp0
Source: RarExt32.dll.3.dr Static PE information: section name: .nsp1
Source: RarExt32.dll.3.dr Static PE information: section name: .nsp2
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004181F0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,748D7540,UnRegisterTypeLib, 7_2_004181F0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .nsp1
Source: initial sample Static PE information: section name: .nsp1 entropy: 7.998366920306635
Source: initial sample Static PE information: section name: .nsp1 entropy: 7.998366920306635
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Program Files\WinRAP\RarExt32.dll Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00416460 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus, 7_2_00416460
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041EDD0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow, 7_2_0041EDD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0046F977 MonitorFromWindow,IsIconic,GetWindowPlacement,GetWindowRect, 7_2_0046F977
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Program Files\WinRAP\RarExt32.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 4.5 %
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00483CEE __EH_prolog,GetFullPathNameA,lstrcpyn,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpy, 7_2_00483CEE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0041EED0 FindFirstFileA,FindClose, 7_2_0041EED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0040F300 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA, 7_2_0040F300
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00417FF0 FindNextFileA,FindClose,FindFirstFileA,FindClose, 7_2_00417FF0
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\loaddll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: rundll32.exe, 00000003.00000000.328082991.0000000000EEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004181F0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,748D7540,UnRegisterTypeLib, 7_2_004181F0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10009430 GetProcessHeap,RtlAllocateHeap,MessageBoxA, 0_2_10009430
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100017B4 mov esi, dword ptr fs:[00000030h] 0_2_100017B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_100017B4 mov esi, dword ptr fs:[00000030h] 3_2_100017B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100017B4 mov esi, dword ptr fs:[00000030h] 4_2_100017B4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0047C0DA SetUnhandledExceptionFilter, 7_2_0047C0DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0047C0EC SetUnhandledExceptionFilter, 7_2_0047C0EC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 208.100.26.242 5658 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Domain query: 52eva.top
Writes to foreign memory regions
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 4F9000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 554000 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 82B008 Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory allocated: C:\Windows\SysWOW64\svchost.exe base: 400000 protect: page read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\System32\loaddll32.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10003356 LocalSize,RtlMoveMemory,LocalSize,RtlMoveMemory,LocalSize,CreateProcessA,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,LocalSize,LocalSize,RtlMoveMemory,WriteProcessMemory,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_10003356
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\5iiXyNVCQ3.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\WINDOWS\system32\svchost.exe -K NetworkService Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetKeyboardLayout,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetSystemDefaultLangID,VerLanguageNameA,GetTimeZoneInformation,wsprintfA, 7_2_0046D210
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA,IsValidCodePage,IsValidLocale, 7_2_0047E607
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesA, 7_2_0047E7DC
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesA, 7_2_0047EA67
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesA, 7_2_0047EB7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 7_2_0047ED6E
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar, 7_2_0047FB7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA,MultiByteToWideChar, 7_2_0047FC37
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte, 7_2_0047FC8D
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,WideCharToMultiByte, 7_2_0047FD50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_00472C10 GetLocalTime,GetSystemTime,GetTimeZoneInformation, 7_2_00472C10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0046D210 GetKeyboardLayout,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetSystemDefaultLangID,VerLanguageNameA,GetTimeZoneInformation,wsprintfA, 7_2_0046D210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_0048D74C GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA, 7_2_0048D74C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 7_2_004688C0 GetUserNameA,GetWindowsDirectoryA,GetSystemDirectoryA, 7_2_004688C0
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 736960 Sample: 5iiXyNVCQ3 Startdate: 03/11/2022 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic 2->37 39 Multi AV Scanner detection for domain / URL 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 6 other signatures 2->43 8 loaddll32.exe 1 2->8         started        process3 signatures4 45 Contains functionality to inject code into remote processes 8->45 47 Writes to foreign memory regions 8->47 49 Allocates memory in foreign processes 8->49 51 Injects a PE file into a foreign processes 8->51 11 svchost.exe 8->11         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 3 8->17         started        20 2 other processes 8->20 process5 dnsIp6 33 52eva.top 208.100.26.242, 49695, 5658 STEADFASTUS United States 11->33 53 System process connects to network (likely due to code injection or exploit) 11->53 22 rundll32.exe 15->22         started        31 C:\Program Files\WinRAP\RarExt32.dll, PE32 17->31 dropped 24 WerFault.exe 19 9 17->24         started        26 svchost.exe 17->26         started        35 192.168.2.1 unknown unknown 20->35 file7 signatures8 process9 process10 28 svchost.exe 22->28         started        signatures11 55 System process connects to network (likely due to code injection or exploit) 28->55
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.100.26.242
 52eva.top United States
32748 STEADFASTUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
52eva.top 208.100.26.242 true