Windows Analysis Report
LwNdQo4zIk.exe

Overview

General Information

Sample Name: LwNdQo4zIk.exe
Analysis ID: 778226
MD5: 3ccd6b369eb1dde57d181e7550bd7268
SHA1: aee399e263c838570c00133feab275b81009e12a
SHA256: f5717aef9a4323816387603920b652a94ac0d9cedef36391cedd9cdcbfef7f60
Tags: 32exe
Infos:

Detection

Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for dropped file
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Drops PE files
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: LwNdQo4zIk.exe Virustotal: Detection: 49% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp Virustotal: Detection: 64% Perma Link
Machine Learning detection for sample
Source: LwNdQo4zIk.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.LwNdQo4zIk.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen2
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A7759 CryptAcquireContextA, 0_2_004A7759
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AB9D1 CryptDeriveKey, 0_2_004AB9D1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B01AF CryptExportKey, 0_2_004B01AF
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B035E CryptDestroyKey, 0_2_004B035E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B056E CryptReleaseContext, 0_2_004B056E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004BA67F CryptAcquireContextA,CryptAcquireContextA, 0_2_004BA67F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AF6E3 CryptExportKey, 0_2_004AF6E3
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004BA75C CryptEncrypt,CryptEncrypt, 0_2_004BA75C
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004BA7D8 CryptDestroyKey,CryptDestroyKey, 0_2_004BA7D8
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004BA80E CryptReleaseContext,CryptReleaseContext, 0_2_004BA80E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004BA9DE CryptBinaryToStringA,CryptBinaryToStringA, 0_2_004BA9DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004C2A13 CryptBinaryToStringA, 0_2_004C2A13
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AFA91 CryptExportKey,CryptExportKey, 0_2_004AFA91
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A5B70 CryptBinaryToStringA, 0_2_004A5B70
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AEB1B CryptGenKey, 0_2_004AEB1B
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A8D87 CryptBinaryToStringA,GetTempPathW, 0_2_004A8D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D51140C CryptDeriveKey, 1_2_6D51140C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D507CD1 CryptReleaseContext, 1_2_6D507CD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D500CD9 CryptDestroyKey, 1_2_6D500CD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4F9484 CryptHashData, 1_2_6D4F9484
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D500486 CryptHashData, 1_2_6D500486
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D50AF62 CryptHashData, 1_2_6D50AF62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4F3F01 CryptHashData, 1_2_6D4F3F01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4E8F2B CryptDeriveKey, 1_2_6D4E8F2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4F279D HttpSendRequestW,CryptReleaseContext, 1_2_6D4F279D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4E46B5 CryptEncrypt, 1_2_6D4E46B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4FE812 CryptEncrypt, 1_2_6D4FE812
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D509035 CryptReleaseContext, 1_2_6D509035
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4EC080 CryptHashData, 1_2_6D4EC080
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4F1A58 CryptEncrypt, 1_2_6D4F1A58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D536A70 CryptEncrypt, 1_2_6D536A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4ECA64 CryptEncrypt, 1_2_6D4ECA64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D507ADA CryptDeriveKey, 1_2_6D507ADA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4EEAE5 CryptGetHashParam, 1_2_6D4EEAE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D500283 CryptReleaseContext,GetProcAddress,GetProcAddress, 1_2_6D500283

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack
Uses 32bit PE files
Source: LwNdQo4zIk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B7085 InternetReadFile, 0_2_004B7085

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Uses 32bit PE files
Source: LwNdQo4zIk.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000000.00000002.249983417.000000000217D000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.250162242.0000000002260000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
Detected potential crypto function
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004FA0B0 0_2_004FA0B0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B4115 0_2_004B4115
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AB2C2 0_2_004AB2C2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004C13A5 0_2_004C13A5
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004DE3A7 0_2_004DE3A7
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A067F 0_2_004A067F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004DD9E8 0_2_004DD9E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D51213A 1_2_6D51213A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D4ECA64 1_2_6D4ECA64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_6D52822C 1_2_6D52822C
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp 20DC61C5456EA5756F432AEBECF74660ACEBF5ACE0F7C8D1B360757ED79075D8
Source: LwNdQo4zIk.exe Static PE information: Section: .data ZLIB complexity 0.9918356461560528
Source: LwNdQo4zIk.exe Virustotal: Detection: 49%
Source: LwNdQo4zIk.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B1333 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot, 0_2_004B1333
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Source: unknown Process created: C:\Users\user\Desktop\LwNdQo4zIk.exe C:\Users\user\Desktop\LwNdQo4zIk.exe
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1568 -s 960
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp",Uprsprhaot Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1568
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe File created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp Jump to behavior
Source: classification engine Classification label: mal84.evad.winEXE@4/5@0/1
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: LwNdQo4zIk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe
Source: Binary string: >h6C:\ruko\kusugu8-fu.pdb source: LwNdQo4zIk.exe

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Unpacked PE file: 0.2.LwNdQo4zIk.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004F7054 push 004E123Eh; ret 0_2_004F71C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004F0321 push 004ED2FBh; ret 0_2_004F0472
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004D6483 push 0046B803h; ret 0_2_004D6561
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004D85D5 push 004C899Fh; ret 0_2_004D867A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004EB75E push 004D3CB3h; ret 0_2_004EB891
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A7759 push dword ptr [004FCE43h]; ret 0_2_004A7A9F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004EA92F push 004DAC2Fh; ret 0_2_004EAA73
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004F59CA push 004B1D5Fh; ret 0_2_004F5B00
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AB9D1 push 0046C15Ah; ret 0_2_004ABA8F
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0046FE63 push 00469E02h; ret 0_2_0046FFC0
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004C8FA2 push 004ADFCDh; ret 0_2_004C907D
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004C8FA2 push 004B29F4h; ret 0_2_004C947A
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_00491044 push 0046B803h; ret 0_2_00491087
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004F3042 push 004BACA2h; ret 0_2_004F30B2
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0047E048 push 004F3C92h; ret 0_2_0047E101
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004A5057 push 004A4A45h; ret 0_2_004A5090
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004AC057 push 004A024Ch; ret 0_2_004AC0BA
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_00494069 push 0046CDFCh; ret 0_2_004941DE
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0049B068 push 0046CDFCh; ret 0_2_0049B298
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0046D063 push 0046AD57h; ret 0_2_0046D29E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0049806C push dword ptr [004FC7DBh]; ret 0_2_00498104
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004C5069 push 004ADFCDh; ret 0_2_004C50AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0046F07F push dword ptr [004FD207h]; ret 0_2_0046F14E
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_0047B07B push 00469E02h; ret 0_2_0047B1AC
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004D300B push dword ptr [004FD567h]; ret 0_2_004D3029
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_00480001 push dword ptr [004FC7DBh]; ret 0_2_00480022
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004CD000 push 004A0557h; ret 0_2_004CD295
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B8005 push 004AC2A1h; ret 0_2_004B8038
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_00474016 push 0046C15Ah; ret 0_2_004740C1
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004B701A push 004F3C92h; ret 0_2_004B7084
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004D1013 push 004B06B3h; ret 0_2_004D110A
Drops PE files
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe File created: C:\Users\user\AppData\Local\Temp\Pyupydeoe.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 3.5 %
Source: C:\Windows\SysWOW64\rundll32.exe Thread delayed: delay time: 136000 Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr Binary or memory string: #NtSetInformationWorkerFactoryTpSetDefaultPoolStackInformationDosDateTimeToFileTimeSetCurrentDirectoryWHkOleRegisterObjectSetProgmanWindowMicrosoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dllSystem.Collections.dllInkSeg.dll0123456789abcdefCNB_0336.DLLMicrosoft.Windows.Diagnosis.Commands.WriteDiagProgress.dllmsscp.dllOSProvider.dllapi-ms-win-core-localization-l1-1-0.dllmscorier.dll0123456789abcdef
Source: rundll32.exe, 00000001.00000002.760368357.000000006D58B000.00000004.00000001.01000000.00000004.sdmp, rundll32.exe, 00000001.00000000.258771674.000000006D58B000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: SetProgmanW
Source: LwNdQo4zIk.exe, 00000000.00000002.250562734.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Pyupydeoe.tmp.0.dr Binary or memory string: SetProgmanWindow
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\Desktop\LwNdQo4zIk.exe Code function: 0_2_004ADA35 GetLocalTime, 0_2_004ADA35
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 778226 Sample: LwNdQo4zIk.exe Startdate: 05/01/2023 Architecture: WINDOWS Score: 84 20 Malicious sample detected (through community Yara rule) 2->20 22 Multi AV Scanner detection for dropped file 2->22 24 Multi AV Scanner detection for submitted file 2->24 26 Machine Learning detection for sample 2->26 7 LwNdQo4zIk.exe 1 2->7         started        process3 file4 16 C:\Users\user\AppData\Local\...\Pyupydeoe.tmp, PE32 7->16 dropped 28 Detected unpacking (changes PE section rights) 7->28 30 Detected unpacking (overwrites its own PE header) 7->30 11 rundll32.exe 1 7->11         started        signatures5 process6 process7 13 WerFault.exe 24 9 11->13         started        dnsIp8 18 192.168.2.1 unknown unknown 13->18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
192.168.2.1