Windows Analysis Report
yoyrJ.dll

Overview

General Information

Sample Name:	yoyrJ.dll
Analysis ID:	750476
MD5:	dd7105e9748a29b5bd61ea57214d57e3
SHA1:	827b323bda769ba7fb838a231aa4160209266b14
SHA256:	c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains an invalid checksum

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Connects to several IPs in different countries

Registers a DLL

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: yoyrJ.dll	ReversingLabs: Detection: 88%
Source: yoyrJ.dll	Metadefender: Detection: 47%			Perma Link

Antivirus detection for URL or domain

Source: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	Avira URL Cloud: Label: malware
Source: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/	Avira URL Cloud: Label: malware

Source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["173.255.211.88:443", "45.63.99.23:7080", "182.162.143.56:443", "91.187.140.35:8080", "212.24.98.99:8080", "119.59.103.152:8080", "45.235.8.30:8080", "172.104.251.154:8080", "72.15.201.15:8080", "169.57.156.166:8080", "103.75.201.2:443", "213.239.212.5:443", "164.90.222.65:443", "201.94.166.162:443", "94.23.45.86:4143", "183.111.227.137:8080", "186.194.240.217:443", "107.170.39.149:8080", "147.139.166.154:8080", "5.135.159.50:443", "206.189.28.199:8080", "104.168.155.143:8080", "129.232.188.93:443", "82.223.21.224:8080", "103.43.75.120:443", "103.132.242.26:8080", "139.59.56.73:8080", "164.68.99.3:8080", "202.129.205.3:8080", "167.172.199.165:8080", "110.232.117.186:8080", "209.97.163.214:443", "167.172.253.162:8080", "1.234.2.232:8080", "159.65.88.10:8080", "95.217.221.146:8080", "153.92.5.27:8080", "91.207.28.33:8080", "188.44.20.25:443", "153.126.146.25:7080", "163.44.196.120:8080", "172.105.226.75:8080", "115.68.227.76:8080", "159.65.140.115:443", "139.59.126.41:443", "197.242.150.244:8080", "45.176.232.124:443", "45.118.115.99:8080", "149.56.131.28:8080", "79.137.35.198:8080", "173.212.193.249:8080", "160.16.142.56:8080", "159.89.202.34:443", "185.4.135.165:8080"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5J0rtUQAbAIw=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2AkoOUQAUAJA="]}

Source: unknown

HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2

Source: yoyrJ.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\System32\regsvr32.exe

Code function: 7_2_000000018001E0D4 FindFirstFileW,FindNextFileW,FindClose,

7_2_000000018001E0D4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.63.99.23 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 173.255.211.88 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49700 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49695 -> 173.255.211.88:443
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49699 -> 45.63.99.23:7080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 173.255.211.88:443
Source: Malware configuration extractor	IPs: 45.63.99.23:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 91.187.140.35:8080
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 172.104.251.154:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.56.73:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 209.97.163.214:443
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 159.65.140.115:443
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 185.4.135.165:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: RACKCORP-APRackCorpAU RACKCORP-APRackCorpAU
Source: Joe Sandbox View	ASN Name: INPL-IN-APIshansNetworkIN INPL-IN-APIshansNetworkIN

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 8916410db85077a5460817142dcbc8de

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 110.232.117.186 110.232.117.186
Source: Joe Sandbox View	IP Address: 103.132.242.26 103.132.242.26

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49699 -> 45.63.99.23:7080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 20

Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 173.255.211.88
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 45.63.99.23
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56

Source: regsvr32.exe, 00000007.00000003.455831993.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456335668.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828167119.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000007.00000003.585372915.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828083663.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585447802.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585835870.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://17.63.99.23:7080/
Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/
Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828093556.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585285064.0000000000C97000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585656644.0000000000C98000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584690393.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456292772.0000000000C91000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://182.162.143.56/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/
Source: regsvr32.exe, 00000007.00000003.585426852.0000000000C87000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584653863.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585349266.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828075611.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456277440.0000000000C86000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.585829274.0000000000C8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.63.99.23:7080/ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/

Source: unknown

HTTP traffic detected: POST /ltqyvaphgamn/iuduszibmmiode/zgmecigm/lvlmwwim/ HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedContent-Length: 334Host: 182.162.143.56

Source: unknown

HTTPS traffic detected: 182.162.143.56:443 -> 192.168.2.4:49700 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 00000007.00000002.827986155.0000000000C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown
Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa Author: unknown

Yara signature match

Source: 0.2.loaddll64.exe.141aeea0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.ba0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 4.2.rundll32.exe.1ebd2220000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 12.2.regsvr32.exe.d20000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0.2.loaddll64.exe.141aeea0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 7.2.regsvr32.exe.ba0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 3.2.regsvr32.exe.a90000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 12.2.regsvr32.exe.d20000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.1bbc5810000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 5.2.rundll32.exe.1bbc5810000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 3.2.regsvr32.exe.a90000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 4.2.rundll32.exe.1ebd2220000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.828364693.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0000000C.00000002.496080462.0000000000D20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.322442190.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000003.00000002.321064194.0000000000A90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000005.00000002.321445782.000001BBC5810000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000004.00000002.318945591.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000003.00000002.322205921.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000004.00000002.319306896.000001EBD2220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 0000000C.00000002.496539435.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000007.00000002.827883820.0000000000BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000005.00000002.320548872.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09
Source: 00000000.00000002.322977789.00000141AEEA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Emotet_db7d33fa reference_sample = 08c23400ff546db41f9ddbbb19fa75519826744dde3b3afb38f3985266577afc, os = windows, severity = x86, creation_date = 2022-05-09, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Emotet, fingerprint = eac196154ab1ad636654c966e860dcd5763c50d7b8221dbbc7769c879daf02fd, id = db7d33fa-e50c-4c59-ab92-edb74aac87c9, last_modified = 2022-06-09

Deletes files inside the Windows folder

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.Identifier

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\yoyrJ.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\yoyrJ.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\yoyrJ.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\OGxcy\dYkxHTuA.dll"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\yoyrJ.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll"	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll"	Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\System32\wbem\WMIADAP.exe	Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib

Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\wbem\WMIADAP.exe	Automated click: OK
Source: C:\Windows\System32\wbem\WMIADAP.exe	Automated click: OK

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180005098 push ebp; ret	0_2_0000000180005099
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800118AD push esp; retn 0000h	0_2_00000001800118B5
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800170C8 push eax; retf	0_2_00000001800170C9
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800170DD push ecx; iretd	0_2_00000001800170E2
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_000000018000512B push ebp; retf	0_2_000000018000512F
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180004938 push eax; ret	0_2_000000018000493B
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800171F0 push eax; retf	0_2_00000001800171F1
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_0000000180010F42 push 8B48E1F7h; retf	0_2_0000000180010F51
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00000001800117D6 pushad ; ret	0_2_00000001800117D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005098 push ebp; ret	3_2_0000000180005099
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800118AD push esp; retn 0000h	3_2_00000001800118B5
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800170C8 push eax; retf	3_2_00000001800170C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800170DD push ecx; iretd	3_2_00000001800170E2
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_000000018000512B push ebp; retf	3_2_000000018000512F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180004938 push eax; ret	3_2_000000018000493B
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800171F0 push eax; retf	3_2_00000001800171F1
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010F42 push 8B48E1F7h; retf	3_2_0000000180010F51
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800117D6 pushad ; ret	3_2_00000001800117D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005098 push ebp; ret	4_2_0000000180005099
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800118AD push esp; retn 0000h	4_2_00000001800118B5
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800170C8 push eax; retf	4_2_00000001800170C9
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800170DD push ecx; iretd	4_2_00000001800170E2
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000018000512B push ebp; retf	4_2_000000018000512F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180004938 push eax; ret	4_2_000000018000493B
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800171F0 push eax; retf	4_2_00000001800171F1
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010F42 push 8B48E1F7h; retf	4_2_0000000180010F51
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800117D6 pushad ; ret	4_2_00000001800117D8
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000000180005098 push ebp; ret	5_2_0000000180005099
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800118AD push esp; retn 0000h	5_2_00000001800118B5
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800170C8 push eax; retf	5_2_00000001800170C9
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_00000001800170DD push ecx; iretd	5_2_00000001800170E2

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qohQcmrlRynEDAUP.dll			Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	File opened: C:\Windows\system32\OGxcy\dYkxHTuA.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\UgFJoEzLBQVtMeg\qohQcmrlRynEDAUP.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\RPhOZPFULSaJ\nMwLrZYwR.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\YbSMYJyTdzumryV\WWgeEzfCEnB.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Users\user\AppData\Local\ArkmTuxCaKyXkTDZ\fBEZnVEOT.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 5396	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664	Thread sleep count: 2698 > 30	Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 1664	Thread sleep count: 2698 > 30	Jump to behavior

Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2698			Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe	Window / User API: threadDelayed 2698			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584622965.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828052946.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456259811.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 00000007.00000003.585862169.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000002.828134623.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584870026.0000000000CB9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456389200.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.456205938.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000007.00000003.584908649.0000000000CBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWf
Source: loaddll64.exe, 00000000.00000003.320147566.00000141AEF45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\C

Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C304980 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF88C304980
Source: C:\Windows\System32\loaddll64.exe	Code function: 0_2_00007FF88C3091F4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF88C3091F4

Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoW,	0_2_00007FF88C317D58
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317EC8
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317E88
Source: C:\Windows\System32\loaddll64.exe	Code function: EnumSystemLocalesA,	0_2_00007FF88C317F60
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,GetLocaleInfoW,GetLocaleInfoW,GetACP,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	0_2_00007FF88C317FCC
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF88C3177EC
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,	0_2_00007FF88C317910
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,	0_2_00007FF88C3179F8
Source: C:\Windows\System32\loaddll64.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,	0_2_00007FF88C317A88
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLastError,free,free,GetLocaleInfoW,GetLocaleInfoW,free,GetLocaleInfoW,	0_2_00007FF88C312BF4
Source: C:\Windows\System32\loaddll64.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,free,	0_2_00007FF88C318470

IP	Domain	Country	ASN	ASN Name	Malicious
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
79.137.35.198	unknown	France	16276	OVHFR	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
172.104.251.154	unknown	United States	63949	LINODE-APLinodeLLCUS	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
45.63.99.23	unknown	United States	20473	AS-CHOOPAUS	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
139.59.56.73	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
159.65.140.115	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
173.255.211.88	unknown	United States	63949	LINODE-APLinodeLLCUS	true
212.24.98.99	unknown	Lithuania	62282	RACKRAYUABRakrejusLT	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
91.187.140.35	unknown	Serbia	13092	UB-ASRS	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
209.97.163.214	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
94.23.45.86	unknown	France	16276	OVHFR	true

ID:	750476
Product:	CloudBasic
Start time:	04:19:06
Start date:	21.11.2022
Sample:	yoyrJ.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	dd7105e9748a29b5bd61ea57214d57e3
SHA1:	827b323bda769ba7fb838a231aa4160209266b14
SHA256:	c987ad0cc79b598bdee9ec7da96b07e82a04cadd73cb3caf85b799731deef9a1
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Windows\System32\wbem\Performance\WmiApRpl_new.h	ASCII text, with CRLF line terminators	B133A676D139032A27DE3D9619E70091	1248AA89938A13640252A79113930EDE2F26F1FA	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15
C:\Windows\system32\wbem\Performance\WmiApRpl.h (copy)	ASCII text, with CRLF line terminators	B133A676D139032A27DE3D9619E70091	1248AA89938A13640252A79113930EDE2F26F1FA	AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15

Windows Analysis Report yoyrJ.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
yoyrJ.dll