Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
zzkCIdCoDt.exe

Overview

General Information

Sample Name:zzkCIdCoDt.exe (renamed file extension from exe to dll)
Analysis ID:745008
MD5:e383dda8987435a6a3950aa9a6909b2c
SHA1:8b3982937eddd443b671161e04c80a2ed5e68818
SHA256:8c1db84c9f86675e3487960e5275fdf2e690b53eff1879e2d72673463fe1055a
Tags:dllexe
Infos:

Detection

Emotet
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Emotet
System process connects to network (likely due to code injection or exploit)
Snort IDS alert for network traffic
Creates an autostart registry key pointing to binary in C:\Windows
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Checks for debuggers (devices)
Connects to several IPs in different countries
Registers a DLL
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll64.exe (PID: 5224 cmdline: loaddll64.exe "C:\Users\user\Desktop\zzkCIdCoDt.dll" MD5: C676FC0263EDD17D4CE7D644B8F3FCD6)
    • conhost.exe (PID: 5236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2068 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\zzkCIdCoDt.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 5456 cmdline: rundll32.exe "C:\Users\user\Desktop\zzkCIdCoDt.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • regsvr32.exe (PID: 5160 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\AmhzcKVtZLl\siQPBMdwCPAb.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 5452 cmdline: regsvr32.exe /s C:\Users\user\Desktop\zzkCIdCoDt.dll MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 5144 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\QxWCKZstQphkP\egknjpoziqlzVL.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
      • regsvr32.exe (PID: 5144 cmdline: C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\AmhzcKVtZLl\siQPBMdwCPAb.dll MD5: D78B75FC68247E8A63ACBA846182740E)
        • regsvr32.exe (PID: 3796 cmdline: C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\UOEgTmwbpKANXEqN\KElhycJrzKCpLgeP.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
      • MpCmdRun.exe (PID: 3968 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)
        • conhost.exe (PID: 2072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5488 cmdline: rundll32.exe C:\Users\user\Desktop\zzkCIdCoDt.dll,DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A)
      • regsvr32.exe (PID: 736 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\BlngRITsHraAEaQWw\tRWuLwwWwn.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
    • regsvr32.exe (PID: 3044 cmdline: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\CXPSzCIcOMY\wxJWjHQhm.dll" MD5: D78B75FC68247E8A63ACBA846182740E)
  • cleanup
{"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0UPxu9nIvAI4=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWof1h9lMsAJA="]}
SourceRuleDescriptionAuthorStrings
00000005.00000002.268670128.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
    00000006.00000002.773669828.0000000000B00000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
      00000013.00000002.417010229.0000000000CF0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
        00000005.00000002.270742537.000002AB001A0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          00000006.00000002.774717427.0000000180001000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            Click to see the 7 entries
            SourceRuleDescriptionAuthorStrings
            3.2.regsvr32.exe.2d00000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              6.2.regsvr32.exe.b00000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                5.2.rundll32.exe.2ab001a0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  4.2.rundll32.exe.13b3e6b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    19.2.regsvr32.exe.cf0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      Click to see the 7 entries
                      No Sigma rule has matched
                      Timestamp:192.168.2.3115.178.55.2249700802404304 11/13/22-17:16:57.501080
                      SID:2404304
                      Source Port:49700
                      Destination Port:80
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: zzkCIdCoDt.dllVirustotal: Detection: 43%Perma Link
                      Source: 00000006.00000002.772134880.00000000008B8000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["172.105.115.71:8080", "218.38.121.17:443", "186.250.48.5:443", "103.71.99.57:8080", "85.214.67.203:8080", "85.25.120.45:8080", "139.196.72.155:8080", "103.85.95.4:8080", "198.199.70.22:8080", "209.239.112.82:8080", "78.47.204.80:443", "36.67.23.59:443", "104.244.79.94:443", "62.171.178.147:8080", "195.77.239.39:8080", "103.56.149.105:8080", "80.211.107.116:8080", "93.104.209.107:8080", "174.138.33.49:7080", "202.28.34.99:8080", "178.62.112.199:8080", "114.79.130.68:443", "118.98.72.86:443", "103.41.204.169:8080", "178.238.225.252:8080", "83.229.80.93:8080", "46.101.98.60:8080", "82.98.180.154:7080", "87.106.97.83:7080", "196.44.98.190:8080", "139.59.80.108:8080", "103.224.241.74:8080", "103.254.12.236:7080", "185.148.169.10:8080", "165.22.254.236:8080", "37.44.244.177:8080", "54.37.228.122:443", "51.75.33.122:443", "128.199.217.206:443", "188.165.79.151:443", "210.57.209.142:8080", "160.16.143.191:8080", "175.126.176.79:8080", "202.134.4.210:7080", "103.126.216.86:443", "190.145.8.4:443", "128.199.242.164:8080", "64.227.55.231:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0UPxu9nIvAI4=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWof1h9lMsAJA="]}
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC28919410 CryptStringToBinaryA,CryptStringToBinaryA,0_2_00007FFC28919410
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFC28919410 CryptStringToBinaryA,CryptStringToBinaryA,3_2_00007FFC28919410
                      Source: zzkCIdCoDt.dllStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
                      Source: C:\Windows\System32\loaddll64.exeCode function: 0_2_00007FFC2890C334 FindFirstFileExW,0_2_00007FFC2890C334
                      Source: C:\Windows\System32\regsvr32.exeCode function: 3_2_00007FFC2890C334 FindFirstFileExW,3_2_00007FFC2890C334

                      Networking

                      barindex
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 115.178.55.22 80Jump to behavior
                      Source: C:\Windows\System32\regsvr32.exeNetwork Connect: 172.105.115.71 8080Jump to behavior
                      Source: TrafficSnort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.3:49700 -> 115.178.55.22:80
                      Source: Malware configuration extractorIPs: 172.105.115.71:8080
                      Source: Malware configuration extractorIPs: 218.38.121.17:443
                      Source: Malware configuration extractorIPs: 186.250.48.5:443
                      Source: Malware configuration extractorIPs: 103.71.99.57:8080
                      Source: Malware configuration extractorIPs: 85.214.67.203:8080
                      Source: Malware configuration extractorIPs: 85.25.120.45:8080
                      Source: Malware configuration extractorIPs: 139.196.72.155:8080
                      Source: Malware configuration extractorIPs: 103.85.95.4:8080
                      Source: Malware configuration extractorIPs: 198.199.70.22:8080
                      Source: Malware configuration extractorIPs: 209.239.112.82:8080
                      Source: Malware configuration extractorIPs: 78.47.204.80:443
                      Source: Malware configuration extractorIPs: 36.67.23.59:443
                      Source: Malware configuration extractorIPs: 104.244.79.94:443
                      Source: Malware configuration extractorIPs: 62.171.178.147:8080
                      Source: Malware configuration extractorIPs: 195.77.239.39:8080
                      Source: Malware configuration extractorIPs: 103.56.149.105:8080
                      Source: Malware configuration extractorIPs: 80.211.107.116:8080
                      Source: Malware configuration extractorIPs: 93.104.209.107:8080
                      Source: Malware configuration extractorIPs: 174.138.33.49:7080
                      Source: Malware configuration extractorIPs: 202.28.34.99:8080
                      Source: Malware configuration extractorIPs: 178.62.112.199:8080
                      Source: Malware configuration extractorIPs: 114.79.130.68:443
                      Source: Malware configuration extractorIPs: 118.98.72.86:443
                      Source: Malware configuration extractorIPs: 103.41.204.169:8080
                      Source: Malware configuration extractorIPs: 178.238.225.252:8080
                      Source: Malware configuration extractorIPs: 83.229.80.93:8080
                      Source: Malware configuration extractorIPs: 46.101.98.60:8080
                      Source: Malware configuration extractorIPs: 82.98.180.154:7080
                      Source: Malware configuration extractorIPs: 87.106.97.83:7080
                      Source: Malware configuration extractorIPs: 196.44.98.190:8080
                      Source: Malware configuration extractorIPs: 139.59.80.108:8080
                      Source: Malware configuration extractorIPs: 103.224.241.74:8080
                      Source: Malware configuration extractor