Windows Analysis Report
f_00321b.dll

Overview

General Information

Sample Name:	f_00321b.dll (renamed file extension from none to dll, renamed because original name is a hash value)
Original Sample Name:	f_00321b
Analysis ID:	829558
MD5:	bfc060937dc90b273eccb6825145f298
SHA1:	c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256:	2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Infos:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for submitted file

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Queues an APC in another process (thread injection)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Connects to several IPs in different countries

Registers a DLL

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: f_00321b.dll	ReversingLabs: Detection: 79%
Source: f_00321b.dll	Virustotal: Detection: 60%			Perma Link

Antivirus detection for URL or domain

Source: https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/	Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/hHm	Avira URL Cloud: Label: malware
Source: https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/0/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/T	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/Y	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/	Avira URL Cloud: Label: malware
Source: https://82.223.21.224:8080/	Avira URL Cloud: Label: malware
Source: https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/PO	Avira URL Cloud: Label: malware
Source: https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/f/	Avira URL Cloud: Label: malware
Source: https://91.121.146.47:8080/	Avira URL Cloud: Label: malware
Source: https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/	Avira URL Cloud: Label: malware
Source: https://107.170.39.149:8080/rue4m	Avira URL Cloud: Label: malware
Source: https://164.90.222.65/wn	Avira URL Cloud: Label: malware
Source: https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/s	Avira URL Cloud: Label: malware
Source: https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware
Source: https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: https://82.223.21.224:8080/

Virustotal: Detection: 8%

Perma Link

Source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["91.121.146.47:8080", "66.228.32.31:7080", "182.162.143.56:443", "187.63.160.88:80", "167.172.199.165:8080", "164.90.222.65:443", "104.168.155.143:8080", "163.44.196.120:8080", "160.16.142.56:8080", "159.89.202.34:443", "159.65.88.10:8080", "186.194.240.217:443", "149.56.131.28:8080", "72.15.201.15:8080", "1.234.2.232:8080", "82.223.21.224:8080", "206.189.28.199:8080", "169.57.156.166:8080", "107.170.39.149:8080", "103.43.75.120:443", "91.207.28.33:8080", "213.239.212.5:443", "45.235.8.30:8080", "119.59.103.152:8080", "164.68.99.3:8080", "95.217.221.146:8080", "153.126.146.25:7080", "197.242.150.244:8080", "202.129.205.3:8080", "103.132.242.26:8080", "139.59.126.41:443", "110.232.117.186:8080", "183.111.227.137:8080", "5.135.159.50:443", "201.94.166.162:443", "103.75.201.2:443", "79.137.35.198:8080", "172.105.226.75:8080", "94.23.45.86:4143", "115.68.227.76:8080", "153.92.5.27:8080", "167.172.253.162:8080", "188.44.20.25:443", "147.139.166.154:8080", "129.232.188.93:443", "173.212.193.249:8080", "185.4.135.165:8080", "45.176.232.124:443"], "Public Key": ["RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj51CrH1gASAIg=", "RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx23yr61gATAIo="]}

Source: unknown

HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180008D28 FindFirstFileExW,		3_2_0000000180008D28
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180008D28 FindFirstFileExW,		4_2_0000000180008D28

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.65.88.10 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 164.90.222.65 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 213.239.212.5 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 186.194.240.217 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 104.168.155.143 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 159.89.202.34 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 160.16.142.56 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.121.146.47 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 91.207.28.33 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 103.43.75.120 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 45.235.8.30 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 72.15.201.15 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 163.44.196.120 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 206.189.28.199 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 107.170.39.149 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 187.63.160.88 80	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 66.228.32.31 7080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 82.223.21.224 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 149.56.131.28 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 169.57.156.166 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 182.162.143.56 443	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 1.234.2.232 8080	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Network Connect: 167.172.199.165 8080	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.4:49704 -> 164.90.222.65:443
Source: Traffic	Snort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.4:49695 -> 91.121.146.47:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.4:49697 -> 66.228.32.31:7080
Source: Traffic	Snort IDS: 2404312 ET CNC Feodo Tracker Reported CnC Server TCP group 7 192.168.2.4:49698 -> 182.162.143.56:443
Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49702 -> 187.63.160.88:80
Source: Traffic	Snort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49703 -> 167.172.199.165:8080
Source: Traffic	Snort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.4:49705 -> 104.168.155.143:8080
Source: Traffic	Snort IDS: 2404304 ET CNC Feodo Tracker Reported CnC Server TCP group 3 192.168.2.4:49719 -> 1.234.2.232:8080
Source: Traffic	Snort IDS: 2404318 ET CNC Feodo Tracker Reported CnC Server TCP group 10 192.168.2.4:49721 -> 206.189.28.199:8080
Source: Traffic	Snort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.4:49729 -> 213.239.212.5:443
Source: Traffic	Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.4:49733 -> 45.235.8.30:8080

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 91.121.146.47:8080
Source: Malware configuration extractor	IPs: 66.228.32.31:7080
Source: Malware configuration extractor	IPs: 182.162.143.56:443
Source: Malware configuration extractor	IPs: 187.63.160.88:80
Source: Malware configuration extractor	IPs: 167.172.199.165:8080
Source: Malware configuration extractor	IPs: 164.90.222.65:443
Source: Malware configuration extractor	IPs: 104.168.155.143:8080
Source: Malware configuration extractor	IPs: 163.44.196.120:8080
Source: Malware configuration extractor	IPs: 160.16.142.56:8080
Source: Malware configuration extractor	IPs: 159.89.202.34:443
Source: Malware configuration extractor	IPs: 159.65.88.10:8080
Source: Malware configuration extractor	IPs: 186.194.240.217:443
Source: Malware configuration extractor	IPs: 149.56.131.28:8080
Source: Malware configuration extractor	IPs: 72.15.201.15:8080
Source: Malware configuration extractor	IPs: 1.234.2.232:8080
Source: Malware configuration extractor	IPs: 82.223.21.224:8080
Source: Malware configuration extractor	IPs: 206.189.28.199:8080
Source: Malware configuration extractor	IPs: 169.57.156.166:8080
Source: Malware configuration extractor	IPs: 107.170.39.149:8080
Source: Malware configuration extractor	IPs: 103.43.75.120:443
Source: Malware configuration extractor	IPs: 91.207.28.33:8080
Source: Malware configuration extractor	IPs: 213.239.212.5:443
Source: Malware configuration extractor	IPs: 45.235.8.30:8080
Source: Malware configuration extractor	IPs: 119.59.103.152:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 95.217.221.146:8080
Source: Malware configuration extractor	IPs: 153.126.146.25:7080
Source: Malware configuration extractor	IPs: 197.242.150.244:8080
Source: Malware configuration extractor	IPs: 202.129.205.3:8080
Source: Malware configuration extractor	IPs: 103.132.242.26:8080
Source: Malware configuration extractor	IPs: 139.59.126.41:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 183.111.227.137:8080
Source: Malware configuration extractor	IPs: 5.135.159.50:443
Source: Malware configuration extractor	IPs: 201.94.166.162:443
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 79.137.35.198:8080
Source: Malware configuration extractor	IPs: 172.105.226.75:8080
Source: Malware configuration extractor	IPs: 94.23.45.86:4143
Source: Malware configuration extractor	IPs: 115.68.227.76:8080
Source: Malware configuration extractor	IPs: 153.92.5.27:8080
Source: Malware configuration extractor	IPs: 167.172.253.162:8080
Source: Malware configuration extractor	IPs: 188.44.20.25:443
Source: Malware configuration extractor	IPs: 147.139.166.154:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 185.4.135.165:8080
Source: Malware configuration extractor	IPs: 45.176.232.124:443

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 8916410db85077a5460817142dcbc8de

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: POST /igqovuqspgdf/wfealienuk/lkpf/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 159.65.88.10 159.65.88.10

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.4:49695 -> 91.121.146.47:8080
Source: global traffic	TCP traffic: 192.168.2.4:49697 -> 66.228.32.31:7080
Source: global traffic	TCP traffic: 192.168.2.4:49703 -> 167.172.199.165:8080
Source: global traffic	TCP traffic: 192.168.2.4:49705 -> 104.168.155.143:8080
Source: global traffic	TCP traffic: 192.168.2.4:49706 -> 163.44.196.120:8080
Source: global traffic	TCP traffic: 192.168.2.4:49707 -> 160.16.142.56:8080
Source: global traffic	TCP traffic: 192.168.2.4:49712 -> 159.65.88.10:8080
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 149.56.131.28:8080
Source: global traffic	TCP traffic: 192.168.2.4:49718 -> 72.15.201.15:8080
Source: global traffic	TCP traffic: 192.168.2.4:49719 -> 1.234.2.232:8080
Source: global traffic	TCP traffic: 192.168.2.4:49720 -> 82.223.21.224:8080
Source: global traffic	TCP traffic: 192.168.2.4:49721 -> 206.189.28.199:8080
Source: global traffic	TCP traffic: 192.168.2.4:49722 -> 169.57.156.166:8080
Source: global traffic	TCP traffic: 192.168.2.4:49723 -> 107.170.39.149:8080
Source: global traffic	TCP traffic: 192.168.2.4:49728 -> 91.207.28.33:8080
Source: global traffic	TCP traffic: 192.168.2.4:49733 -> 45.235.8.30:8080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 17

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.146.47
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 66.228.32.31
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 182.162.143.56
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 187.63.160.88
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 167.172.199.165
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 164.90.222.65
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.155.143

Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/OID
Source: regsvr32.exe, 00000006.00000003.405755577.0000000000A47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/c
Source: regsvr32.exe, 00000006.00000003.407309155.00000000009B4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494297194.00000000009B6000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009B7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494261913.00000000009B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3ae1e74b5e41b
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://10.235.8.30:8080/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.43.75.120:443/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837838850.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://103.44.196.120:8080/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/Y
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://104.168.155.143:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://107.170.39.149:8080/hHm
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://107.170.39.149:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://107.170.39.149:8080/rue4m
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.65.88.10:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://159.89.202.34:443/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494319079.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65/wn
Source: regsvr32.exe, 00000006.00000003.493259582.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://164.90.222.65:443/igqovuqspgdf/wfealienuk/lkpf/f/
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://169.57.156.166:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://206.189.28.199:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/0/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://213.239.212.5/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/f/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.838188183.0000000002B6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/PO
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://45.235.8.30:8080/igqovuqspgdf/wfealienuk/lkpf/s
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://72.15.201.15:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000002.837938487.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://82.223.21.224:8080/
Source: regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/
Source: regsvr32.exe, 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/
Source: regsvr32.exe, 00000006.00000003.407505388.00000000009D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://91.121.146.47:8080/igqovuqspgdf/wfealienuk/lkpf/T

Source: unknown

HTTP traffic detected: POST /igqovuqspgdf/wfealienuk/lkpf/ HTTP/1.1Connection: Keep-AliveContent-Length: 0Host: 164.90.222.65

Source: unknown

HTTPS traffic detected: 164.90.222.65:443 -> 192.168.2.4:49704 version: TLS 1.2

E-Banking Fraud

Yara detected Emotet

Source: Yara match	File source: 00000006.00000002.837764087.000000000095B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.263a5e10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.263a5e10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.regsvr32.exe.c60000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.264e3c10000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.rundll32.exe.264e3c10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.regsvr32.exe.b20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.321671737.00000263A5E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.322224352.00000264E3C10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.322307535.00000264E3C41000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.322806911.0000000000C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.323368547.0000000000E61000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.322501137.00000263A7711000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.837994080.0000000000B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.838029759.0000000000B51000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY

Deletes files inside the Windows folder

Source: C:\Windows\System32\regsvr32.exe

File deleted: C:\Windows\System32\ChVCsX\ramMHRyb.dll:Zone.Identifier

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	3_2_0000000180010C10
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	3_2_0000000180010AC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	3_2_0000000180010DB0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010C10 LdrFindResource_U,LdrAccessResource,NtAllocateVirtualMemory,	4_2_0000000180010C10
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010AC0 ExitProcess,RtlQueueApcWow64Thread,NtTestAlert,	4_2_0000000180010AC0
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180010DB0 ZwOpenSymbolicLinkObject,ZwOpenSymbolicLinkObject,	4_2_0000000180010DB0

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\f_00321b.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll"
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\f_00321b.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\f_00321b.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\f_00321b.dll",#1	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\ChVCsX\ramMHRyb.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\LwMWPX\mOtL.dll"	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\WiCuwn\qvjh.dll"	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK

Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: f_00321b.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: f_00321b.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: f_00321b.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: f_00321b.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: f_00321b.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: f_00321b.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180005C69 push rdi; ret	3_2_0000000180005C72
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800056DD push rdi; ret	3_2_00000001800056E4
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E6A0FC push ebp; iretd	3_2_00E6A0FD
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E780D7 push ebp; retf	3_2_00E780D8
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E66CDE push esi; iretd	3_2_00E66CDF
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E66C9F pushad ; ret	3_2_00E66CAA
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E6A1D2 push ebp; iretd	3_2_00E6A1D3
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E77987 push ebp; iretd	3_2_00E7798F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E77D4E push ebp; iretd	3_2_00E77D4F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E78157 push ebp; retf	3_2_00E78158
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E69D51 push ebp; retf	3_2_00E69D5A
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E77D25 push 4D8BFFFFh; retf	3_2_00E77D2A
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E77D3C push ebp; retf	3_2_00E77D3D
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E77EAF push 458BCC5Ah; retf	3_2_00E77EBC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E69E8B push eax; retf	3_2_00E69E8E
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E6A26E push ebp; ret	3_2_00E6A26F
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00E7C731 push esi; iretd	3_2_00E7C732
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180005C69 push rdi; ret	4_2_0000000180005C72
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800056DD push rdi; ret	4_2_00000001800056E4
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7728157 push ebp; retf	4_2_00000263A7728158
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7727D4E push ebp; iretd	4_2_00000263A7727D4F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7719D51 push ebp; retf	4_2_00000263A7719D5A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7727D3C push ebp; retf	4_2_00000263A7727D3D
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7727D25 push 4D8BFFFFh; retf	4_2_00000263A7727D2A
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A771A1D2 push ebp; iretd	4_2_00000263A771A1D3
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7727987 push ebp; iretd	4_2_00000263A772798F
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A771A0FC push ebp; iretd	4_2_00000263A771A0FD
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A77280D7 push ebp; retf	4_2_00000263A77280D8
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7716CDE push esi; iretd	4_2_00000263A7716CDF
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A7716C9F pushad ; ret	4_2_00000263A7716CAA
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000263A772C731 push esi; iretd	4_2_00000263A772C732

Source: C:\Windows\System32\regsvr32.exe	File opened: C:\Windows\system32\ChVCsX\ramMHRyb.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\LwMWPX\mOtL.dll:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File opened: C:\Windows\system32\WiCuwn\qvjh.dll:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: regsvr32.exe, 00000003.00000002.323042922.0000000000CB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: hGFsjg
Source: rundll32.exe, 00000005.00000002.321631471.00000264E3AB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\H
Source: regsvr32.exe, 00000006.00000003.494204988.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494204988.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407309155.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.407505388.00000000009D2000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.000000000099C000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009D4000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000003.494106768.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000006.00000002.837838850.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000005.00000002.321631471.00000264E3AB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_0000000180001C48
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00000001800082EC
Source: C:\Windows\System32\regsvr32.exe	Code function: 3_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00000001800017DC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_0000000180001C48 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0000000180001C48
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800082EC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00000001800082EC
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_00000001800017DC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00000001800017DC

IP	Domain	Country	ASN	ASN Name	Malicious
159.65.88.10	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
172.105.226.75	unknown	United States	63949	LINODE-APLinodeLLCUS	true
164.90.222.65	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
213.239.212.5	unknown	Germany	24940	HETZNER-ASDE	true
5.135.159.50	unknown	France	16276	OVHFR	true
186.194.240.217	unknown	Brazil	262733	NetceteraTelecomunicacoesLtdaBR	true
103.132.242.26	unknown	India	45117	INPL-IN-APIshansNetworkIN	true
104.168.155.143	unknown	United States	54290	HOSTWINDSUS	true
119.59.103.152	unknown	Thailand	56067	METRABYTE-TH453LadplacoutJorakhaebuaTH	true
79.137.35.198	unknown	France	16276	OVHFR	true
159.89.202.34	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
91.121.146.47	unknown	France	16276	OVHFR	true
160.16.142.56	unknown	Japan	9370	SAKURA-BSAKURAInternetIncJP	true
201.94.166.162	unknown	Brazil	28573	CLAROSABR	true
91.207.28.33	unknown	Kyrgyzstan	39819	PROHOSTKG	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
103.43.75.120	unknown	Japan	20473	AS-CHOOPAUS	true
115.68.227.76	unknown	Korea Republic of	38700	SMILESERV-AS-KRSMILESERVKR	true
188.44.20.25	unknown	Macedonia	57374	GIV-ASMK	true
45.235.8.30	unknown	Brazil	267405	WIKINETTELECOMUNICACOESBR	true
153.126.146.25	unknown	Japan	7684	SAKURA-ASAKURAInternetIncJP	true
72.15.201.15	unknown	United States	13649	ASN-VINSUS	true
163.44.196.120	unknown	Singapore	135161	GMO-Z-COM-THGMO-ZcomNetDesignHoldingsCoLtdSG	true
206.189.28.199	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
107.170.39.149	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
66.228.32.31	unknown	United States	63949	LINODE-APLinodeLLCUS	true
187.63.160.88	unknown	Brazil	28169	BITCOMPROVEDORDESERVICOSDEINTERNETLTDABR	true
82.223.21.224	unknown	Spain	8560	ONEANDONE-ASBrauerstrasse48DE	true
197.242.150.244	unknown	South Africa	37611	AfrihostZA	true
173.212.193.249	unknown	Germany	51167	CONTABODE	true
185.4.135.165	unknown	Greece	199246	TOPHOSTGR	true
183.111.227.137	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
45.176.232.124	unknown	Colombia	267869	CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOC	true
95.217.221.146	unknown	Germany	24940	HETZNER-ASDE	true
149.56.131.28	unknown	Canada	16276	OVHFR	true
169.57.156.166	unknown	United States	36351	SOFTLAYERUS	true
164.68.99.3	unknown	Germany	51167	CONTABODE	true
182.162.143.56	unknown	Korea Republic of	3786	LGDACOMLGDACOMCorporationKR	true
139.59.126.41	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
1.234.2.232	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
167.172.253.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
129.232.188.93	unknown	South Africa	37153	xneeloZA	true
167.172.199.165	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
202.129.205.3	unknown	Thailand	45328	NIPA-AS-THNIPATECHNOLOGYCOLTDTH	true
147.139.166.154	unknown	United States	45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true
153.92.5.27	unknown	Germany	47583	AS-HOSTINGERLT	true
94.23.45.86	unknown	France	16276	OVHFR	true

ID:	829558
Product:	CloudBasic
Start time:	16:02:26
Start date:	18.03.2023
Sample:	f_00321b
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bfc060937dc90b273eccb6825145f298
SHA1:	c156c00c7e918f0cb7363614fb1f177c90d8108a
SHA256:	2f39c2879989ddd7f9ecf52b6232598e5595f8bf367846ff188c9dfbf1251253
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, Windows 2000/XP setup, 62582 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression	E71C8443AE0BC2E282C73FAEAD0A6DD3	0C110C1B01E68EDFACAEAE64781A37B1995FA94B	95B0A5ACC5BF70D3ABDFD091D0C9F9063AA4FDE65BD34DBF16786082E1992E72
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	92A5046B3EABBD6B4A2EBF06E1D95894	9C1965C6F53CFBA0B9554569274DE1133FC72B59	8A39A8B9EF95B8F67F54A49142CD8716E8BA8D5D3363DFE7425E0EE5A18036FD

Windows Analysis Report f_00321b.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
f_00321b.dll