Windows Analysis Report
6k00SOeMjU.dll

Overview

General Information

Sample Name: 6k00SOeMjU.dll
Analysis ID: 764036
MD5: 0d079a931e42f554016db36476e55ba7
SHA1: d5f1ab52221019c746f1cc59a45ce18d0b817496
SHA256: ead2c5aaf92fe07db45b99587f586c7a45f92c67220cd8113a5d2e7bcb320798
Tags: 32dllexe
Infos:

Detection

SystemBC
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected SystemBC
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Hides threads from debuggers
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Overwrites code with function prologues
Tries to evade analysis by execution special instruction (VM detection)
Tries to detect virtualization through RDTSC time measurements
PE file contains section with special chars
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Sample file is different than original file name gathered from version info
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
PE / OLE file has an invalid certificate
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: 6k00SOeMjU.dll ReversingLabs: Detection: 23%
Source: 6k00SOeMjU.dll Virustotal: Detection: 17% Perma Link
Uses 32bit PE files
Source: 6k00SOeMjU.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 89.22.236.225 4193 Jump to behavior
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49698 -> 89.22.236.225:4193
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INETLTDTR INETLTDTR
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 89.22.236.225 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: unknown TCP traffic detected without corresponding DNS query: 89.22.236.225
Source: 6k00SOeMjU.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 6k00SOeMjU.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 6k00SOeMjU.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: rundll32.exe, 00000003.00000002.769805471.0000000010B69000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.769805642.0000000010B69000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.769803694.0000000010B69000.00000002.00000001.01000000.00000003.sdmp, 6k00SOeMjU.dll String found in binary or memory: http://www.innosetup.com
Source: 6k00SOeMjU.dll String found in binary or memory: https://sectigo.com/CPS0
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.250603818.00000000012DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: Detects SystemBC Author: ditekSHen
PE file contains section with special chars
Source: 6k00SOeMjU.dll Static PE information: section name: *;>%1sXO
Source: 6k00SOeMjU.dll Static PE information: section name: 7rP!Ni:j
Source: 6k00SOeMjU.dll Static PE information: section name: bkE<E2?8
Source: 6k00SOeMjU.dll Static PE information: section name: 8*7`Joyq
Source: 6k00SOeMjU.dll Static PE information: section name: 0Ys'"rSd
Source: 6k00SOeMjU.dll Static PE information: section name: $u!6XeN&
Source: 6k00SOeMjU.dll Static PE information: section name: K)'tLNvc
Uses 32bit PE files
Source: 6k00SOeMjU.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Yara signature match
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC
Source: 00000005.00000002.764703413.0000000010005000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000003.00000002.764685317.0000000010005000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: 00000004.00000002.764666285.0000000010005000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: Process Memory Space: rundll32.exe PID: 5448, type: MEMORYSTR Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: Process Memory Space: rundll32.exe PID: 5476, type: MEMORYSTR Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Source: Process Memory Space: rundll32.exe PID: 3920, type: MEMORYSTR Matched rule: EXT_MAL_SystemBC_Mar22_1 date = 2022-03-11, hash1 = c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5, author = Thomas Barabosch, Deutsche Telekom Security, description = Detects unpacked SystemBC module as used by Emotet in March 2022, score = https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc, reference2 = https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6, reference = https://twitter.com/Cryptolaemus1/status/1502069552246575105
Sample file is different than original file name gathered from version info
Source: 6k00SOeMjU.dll Binary or memory string: OriginalFilename6 vs 6k00SOeMjU.dll
PE / OLE file has an invalid certificate
Source: 6k00SOeMjU.dll Static PE information: invalid certificate
Source: 6k00SOeMjU.dll ReversingLabs: Detection: 23%
Source: 6k00SOeMjU.dll Virustotal: Detection: 17%
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6k00SOeMjU.dll,rundll
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6k00SOeMjU.dll,rundll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",rundll
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\6k00SOeMjU.dll,rundll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",rundll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",#1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5260:120:WilError_01
Source: classification engine Classification label: mal96.troj.evad.winDLL@10/0@0/1
Source: 6k00SOeMjU.dll Static file information: File size 7566544 > 1048576
Source: 6k00SOeMjU.dll Static PE information: Raw size of nUPwRZiK is bigger than: 0x100000 < 0x734600
PE file contains sections with non-standard names
Source: 6k00SOeMjU.dll Static PE information: section name: *;>%1sXO
Source: 6k00SOeMjU.dll Static PE information: section name: 7rP!Ni:j
Source: 6k00SOeMjU.dll Static PE information: section name: bkE<E2?8
Source: 6k00SOeMjU.dll Static PE information: section name: 8*7`Joyq
Source: 6k00SOeMjU.dll Static PE information: section name: 0Ys'"rSd
Source: 6k00SOeMjU.dll Static PE information: section name: nUPwRZiK
Source: 6k00SOeMjU.dll Static PE information: section name: $u!6XeN&
Source: 6k00SOeMjU.dll Static PE information: section name: K)'tLNvc
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: nUPwRZiK

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: DF0005 value: E9 FB 99 AF 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 778E9A00 value: E9 0A 66 50 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 10D0007 value: E9 7B 4C 85 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 77924C80 value: E9 8E B3 7A 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 10E0005 value: E9 FB BF 7D 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 778BC000 value: E9 0A 40 82 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 1290008 value: E9 AB E0 66 76 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 778FE0B0 value: E9 60 1F 99 89 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 12A0005 value: E9 CB 5A 66 73 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 74905AD0 value: E9 3A A5 99 8C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 12B0005 value: E9 5B B0 67 73 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 7492B060 value: E9 AA 4F 98 8C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 12C0005 value: E9 DB F8 9E 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 76CAF8E0 value: E9 2A 07 61 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 2D70005 value: E9 FB 42 F6 73 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 76CD4300 value: E9 0A BD 09 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 860005 value: E9 FB 99 08 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 778E9A00 value: E9 0A 66 F7 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 870007 value: E9 7B 4C 0B 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 77924C80 value: E9 8E B3 F4 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 890005 value: E9 FB BF 02 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 778BC000 value: E9 0A 40 FD 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 8B0008 value: E9 AB E0 04 77 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 778FE0B0 value: E9 60 1F FB 88 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: AD0005 value: E9 CB 5A E3 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 74905AD0 value: E9 3A A5 1C 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: AE0005 value: E9 5B B0 E4 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 7492B060 value: E9 AA 4F 1B 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 1050005 value: E9 DB F8 C5 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 76CAF8E0 value: E9 2A 07 3A 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 4490005 value: E9 FB 42 84 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5448 base: 76CD4300 value: E9 0A BD 7B 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 9E0005 value: E9 FB 99 F0 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 778E9A00 value: E9 0A 66 0F 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 9F0007 value: E9 7B 4C F3 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 77924C80 value: E9 8E B3 0C 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: D10005 value: E9 FB BF BA 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 778BC000 value: E9 0A 40 45 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: ED0008 value: E9 AB E0 A2 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 778FE0B0 value: E9 60 1F 5D 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: EF0005 value: E9 CB 5A A1 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 74905AD0 value: E9 3A A5 5E 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 1040005 value: E9 5B B0 8E 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 7492B060 value: E9 AA 4F 71 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 1050005 value: E9 DB F8 C5 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 76CAF8E0 value: E9 2A 07 3A 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 4810005 value: E9 FB 42 4C 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5476 base: 76CD4300 value: E9 0A BD B3 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3150005 value: E9 FB 99 79 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 778E9A00 value: E9 0A 66 86 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3400007 value: E9 7B 4C 52 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 77924C80 value: E9 8E B3 AD 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3410005 value: E9 FB BF 4A 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 778BC000 value: E9 0A 40 B5 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3430008 value: E9 AB E0 4C 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 778FE0B0 value: E9 60 1F B3 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3440005 value: E9 CB 5A 4C 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 74905AD0 value: E9 3A A5 B3 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3450005 value: E9 5B B0 4D 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 7492B060 value: E9 AA 4F B2 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3460005 value: E9 DB F8 84 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 76CAF8E0 value: E9 2A 07 7B 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 3470005 value: E9 FB 42 86 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3920 base: 76CD4300 value: E9 0A BD 79 8C Jump to behavior
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 778BC000 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 74905AD0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 7492B060 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 76CAF8E0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 5288 base: 76CD4300 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\System32\loaddll32.exe Special instruction interceptor: First address: 0000000010B09AA6 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 00000000106587EA second address: 0000000010658809 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 ror edx, FFFFFF86h 0x00000007 xor ax, si 0x0000000a not cl 0x0000000c clc 0x0000000d xor bl, cl 0x0000000f push esi 0x00000010 push edi 0x00000011 rol dh, FFFFFF9Dh 0x00000014 rcl eax, cl 0x00000016 test bx, bx 0x00000019 push ebx 0x0000001a mov ebx, ecx 0x0000001c movsx eax, di 0x0000001f rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 00000000106587EA second address: 0000000010658809 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 ror edx, FFFFFF86h 0x00000007 xor ax, si 0x0000000a not cl 0x0000000c clc 0x0000000d xor bl, cl 0x0000000f push esi 0x00000010 push edi 0x00000011 rol dh, FFFFFF9Dh 0x00000014 rcl eax, cl 0x00000016 test bx, bx 0x00000019 push ebx 0x0000001a mov ebx, ecx 0x0000001c movsx eax, di 0x0000001f rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000004.00000002.764386156.0000000000F0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Windows\System32\loaddll32.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 89.22.236.225 4193 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\6k00SOeMjU.dll",#1 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected SystemBC
Source: Yara match File source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3920, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected SystemBC
Source: Yara match File source: 4.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.10000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5476, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3920, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 764036 Sample: 6k00SOeMjU.dll Startdate: 09/12/2022 Architecture: WINDOWS Score: 96 25 Malicious sample detected (through community Yara rule) 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected SystemBC 2->29 31 PE file contains section with special chars 2->31 7 loaddll32.exe 1 2->7         started        process3 signatures4 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->37 39 Overwrites code with function prologues 7->39 41 Tries to evade analysis by execution special instruction (VM detection) 7->41 43 2 other signatures 7->43 10 rundll32.exe 7->10         started        14 rundll32.exe 7->14         started        16 cmd.exe 1 7->16         started        18 conhost.exe 7->18         started        process5 dnsIp6 23 89.22.236.225, 4193, 49698, 49699 INETLTDTR Russian Federation 10->23 45 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->45 47 Tries to detect virtualization through RDTSC time measurements 10->47 49 Hides threads from debuggers 10->49 51 System process connects to network (likely due to code injection or exploit) 14->51 20 rundll32.exe 16->20         started        signatures7 process8 signatures9 33 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->33 35 Hides threads from debuggers 20->35
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.22.236.225
 unknown Russian Federation
197328 INETLTDTR true