Windows Analysis Report
1Tkf1dTh5K.dll

Overview

General Information

Sample name: 1Tkf1dTh5K.dll
renamed because original name is a hash value
Original sample name: 3f93e2b9e4f395d06b6dd096368c3408.dll
Analysis ID: 1447639
MD5: 3f93e2b9e4f395d06b6dd096368c3408
SHA1: 30ff267a7f126da5d880ac41fad5c6ebe0bcaf37
SHA256: 3454fcc1cd07d8d82c49ce44e3eee266df4894d66f833be14cb16904eaf5b1c5
Tags: dllRaccoonStealer
Infos:

Detection

Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Detected VMProtect packer
Machine Learning detection for sample
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Creates a process in suspended mode (likely to inject code)
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential time zone aware malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 1Tkf1dTh5K.dll Avira: detected
Multi AV Scanner detection for domain / URL
Source: http://47.110.247.171/login/jizhi2_m.php Virustotal: Detection: 8% Perma Link
Source: http://47.110.247.171/login/t.phpj Virustotal: Detection: 8% Perma Link
Source: http://47.110.247.171/C Virustotal: Detection: 8% Perma Link
Source: http://47.110.247.171/login/ver_m.php Virustotal: Detection: 7% Perma Link
Source: http://47.110.247.171/s Virustotal: Detection: 7% Perma Link
Source: http://47.110.247.171/ Virustotal: Detection: 9% Perma Link
Source: http://47.110.247.171:80/login/t.php Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for submitted file
Source: 1Tkf1dTh5K.dll ReversingLabs: Detection: 44%
Source: 1Tkf1dTh5K.dll Virustotal: Detection: 52% Perma Link
Machine Learning detection for sample
Source: 1Tkf1dTh5K.dll Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1Tkf1dTh5K.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 47.110.247.171 80 Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 47.110.247.171 47.110.247.171
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/ver_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 349Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/jizhi2_m.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 301Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: global traffic HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: unknown HTTP traffic detected: POST /login/t.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: text/html, application/xhtml+xml, */*Accept-Encoding: gbk, GB2312Accept-Language: zh-cnUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)Content-Length: 13Host: 47.110.247.171
Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://&managingpasswords_s=data=/login/t.php&type=getime2
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.
Source: loaddll32.exe, 00000000.00000003.2187385658.0000000001556000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272171936.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.0000000001559000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784311494.0000000001557000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/6
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/?
Source: rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/?K
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/C
Source: rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/J
Source: rundll32.exe, 00000004.00000003.2082336174.000000000331D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/Re
Source: rundll32.exe, 00000003.00000003.2113035481.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/h
Source: rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/hK3j
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000967000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php
Source: rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php/
Source: rundll32.exe, 00000003.00000003.2116272225.00000000007CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php/h
Source: rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.php;
Source: rundll32.exe, 00000006.00000002.2463460659.0000000004F10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpK
Source: loaddll32.exe, 00000000.00000002.3272027625.00000000014BF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpi
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/jizhi2_m.phpm
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2224227280.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162415500.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462798834.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462918405.0000000000970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php&x
Source: rundll32.exe, 00000004.00000003.2082336174.000000000333D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php&x-
Source: rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php1c%
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php4g
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php;A-
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.php=
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpDe)
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpJ
Source: rundll32.exe, 00000004.00000003.2208665022.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.2358695472.0000000003316000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2204100016.0000000003316000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpRM
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpTMT
Source: rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225284312.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpc
Source: rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpd
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpfa(
Source: rundll32.exe, 00000006.00000003.2188406323.0000000000946000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162415500.0000000000947000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192719848.0000000000947000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpj
Source: loaddll32.exe, 00000000.00000003.3271632988.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.0000000001550000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.3272152572.000000000154E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3271439966.000000000154D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268383072.000000000154A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.000000000153D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/t.phpx
Source: rundll32.exe, 00000006.00000003.2192719848.00000000009A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/ver_m.php
Source: rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/ver_m.php:
Source: rundll32.exe, 00000003.00000003.2089845513.00000000007E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/ver_m.phpO
Source: rundll32.exe, 00000004.00000003.2082336174.0000000003361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/login/ver_m.phpZ
Source: loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/s
Source: rundll32.exe, 00000006.00000003.2188587059.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2162472970.0000000000951000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2225375077.0000000000951000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171/x
Source: rundll32.exe, 00000006.00000003.2188743743.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2193010264.0000000000938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171:80/login/t.php
Source: rundll32.exe, 00000006.00000003.2269266886.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2224227280.0000000000970000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462918405.0000000000970000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.171:80/login/t.php_m.phpcd56ec472546541c80af5d1615d7
Source: rundll32.exe, 00000006.00000003.2269266886.0000000000962000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.0000000000962000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://47.110.247.17x
Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://ec.360bc.cnhttp://www.eyybc.com/forumdisplay.php?fid=17/memcp.php/ip.asp/time.asp/gonggao.txt
Source: rundll32.exe, 00000003.00000002.2386174372.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2360525561.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2464996552.0000000010FF6000.00000002.00000001.01000000.00000003.sdmp, 1Tkf1dTh5K.dll String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: rundll32.exe, 00000003.00000002.2385269268.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359523960.0000000010199000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463739896.0000000010199000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.super-ec.cn

System Summary
barindex
Detected VMProtect packer
Source: 1Tkf1dTh5K.dll Static PE information: .vmp0 and .vmp1 section names
Uses 32bit PE files
Source: 1Tkf1dTh5K.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal96.evad.winDLL@10/0@0/1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2668:120:WilError_03
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main
Source: 1Tkf1dTh5K.dll ReversingLabs: Detection: 44%
Source: 1Tkf1dTh5K.dll Virustotal: Detection: 52%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\1Tkf1dTh5K.dll,main Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",main Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F4DACA4-160D-11D2-A8E9-00104B365C9F}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: 1Tkf1dTh5K.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 1Tkf1dTh5K.dll Static file information: File size 8716288 > 1048576
Source: 1Tkf1dTh5K.dll Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x80b000
Source: Binary string: rundll32.pdb source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: rundll32.exe, 00000003.00000002.2385100185.0000000004C90000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.0000000000809000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.0000000000806000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2086404376.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.2082294461.0000000005903000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2192671725.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188379761.0000000004F21000.00000004.00000020.00020000.00000000.sdmp
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp1
PE file contains sections with non-standard names
Source: 1Tkf1dTh5K.dll Static PE information: section name: .vmp0
Source: 1Tkf1dTh5K.dll Static PE information: section name: .vmp1

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with function prologues
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 76EBBA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75A74D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75A8EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75E58A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75E80230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 76EBBA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75A74D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75A8EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75E58A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75E80230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 76EBBA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75A74D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75A8EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75E58A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75E80230 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 76A923A0 value: 8B FF 55 8B EC 83 EC 1C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 76EBBA30 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75A74D90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75A8EBF0 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75E58A90 value: 8B FF 55 8B EC Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75E80230 value: 8B FF 55 8B EC Jump to behavior
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: FE0005 value: E9 2B BA ED 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 76EBBA30 value: E9 DA 45 12 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: FF0008 value: E9 8B 8E F1 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 76F08E90 value: E9 80 71 0E 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 1450005 value: E9 8B 4D 62 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75A74D90 value: E9 7A B2 9D 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 1470005 value: E9 EB EB 61 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75A8EBF0 value: E9 1A 14 9E 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 1480005 value: E9 8B 8A 9D 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75E58A90 value: E9 7A 75 62 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 1490005 value: E9 2B 02 9F 74 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 75E80230 value: E9 DA FD 60 8B Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 14A0005 value: E9 8B 2F A5 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 4428 base: 76EF2F90 value: E9 7A D0 5A 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 540005 value: E9 2B BA 97 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 76EBBA30 value: E9 DA 45 68 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 550008 value: E9 8B 8E 9B 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 76F08E90 value: E9 80 71 64 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 700005 value: E9 8B 4D 37 75 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75A74D90 value: E9 7A B2 C8 8A Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: AE0005 value: E9 EB EB FA 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75A8EBF0 value: E9 1A 14 05 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 3FE0005 value: E9 8B 8A E7 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75E58A90 value: E9 7A 75 18 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 3FF0005 value: E9 2B 02 E9 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 75E80230 value: E9 DA FD 16 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 4000005 value: E9 8B 2F EF 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3356 base: 76EF2F90 value: E9 7A D0 10 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 3390005 value: E9 2B BA B2 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 76EBBA30 value: E9 DA 45 4D 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 33A0008 value: E9 8B 8E B6 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 76F08E90 value: E9 80 71 49 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 4D40005 value: E9 8B 4D D3 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75A74D90 value: E9 7A B2 2C 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 4D60005 value: E9 EB EB D2 70 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75A8EBF0 value: E9 1A 14 2D 8F Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 4D70005 value: E9 8B 8A 0E 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75E58A90 value: E9 7A 75 F1 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 4D80005 value: E9 2B 02 10 71 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 75E80230 value: E9 DA FD EF 8E Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 4D90005 value: E9 8B 2F 16 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6608 base: 76EF2F90 value: E9 7A D0 E9 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: AE0005 value: E9 2B BA 3D 76 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 76EBBA30 value: E9 DA 45 C2 89 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 2B90008 value: E9 8B 8E 37 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 76F08E90 value: E9 80 71 C8 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 2BA0005 value: E9 8B 4D ED 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75A74D90 value: E9 7A B2 12 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 2BD0005 value: E9 EB EB EB 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75A8EBF0 value: E9 1A 14 14 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 2BE0005 value: E9 8B 8A 27 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75E58A90 value: E9 7A 75 D8 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 2BF0005 value: E9 2B 02 29 73 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 75E80230 value: E9 DA FD D6 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 43B0005 value: E9 8B 2F B4 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5600 base: 76EF2F90 value: E9 7A D0 4B 8D Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000003.00000002.2385398369.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359665579.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463928728.000000001029E000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: BSBIEDLL.DLL}
Source: rundll32.exe, 00000003.00000002.2385398369.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.2359665579.000000001029E000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.2463928728.000000001029E000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: BSBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10F620C9 second address: 10F620DB instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 inc cl 0x00000005 xor bl, cl 0x00000007 btc ax, bx 0x0000000b adc edx, 4D427E8Fh 0x00000011 push ebp 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834C0C3EFh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8341C476Fh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10E2A970 second address: 10E2A982 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10E566B3 second address: 10E566BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 mov ebp, esi 0x00000005 mov bl, cl 0x00000007 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 10F620C9 second address: 10F620DB instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 inc cl 0x00000005 xor bl, cl 0x00000007 btc ax, bx 0x0000000b adc edx, 4D427E8Fh 0x00000011 push ebp 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 10EEA988 second address: 107F4A75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD8341C476Fh 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 10E2A970 second address: 10E2A982 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 10E566B3 second address: 10E566BA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 mov ebp, esi 0x00000005 mov bl, cl 0x00000007 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 104BA999 second address: 104BA9AB instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD835361B64h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834919EE4h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD83520AD5Fh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD835257943h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD83510E371h 0x0000005b jmp 00007FD8352FD384h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD83555BEE2h 0x0000006f ja 00007FD83527C090h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD8347C30DFh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD83480FCC3h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD8346C66F1h 0x0000005b jmp 00007FD8348B5704h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD834B14262h 0x0000006f ja 00007FD834834410h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD83520C84Bh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD8352AFB46h 0x00000043 bswap ecx 0x00000045 jmp 00007FD835345928h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8352EAEC3h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8351F90F9h 0x00000069 jmp 00007FD835201EDCh 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD83555BEE2h 0x0000007d ja 00007FD83527C090h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD8347C4BCBh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD834867EC6h 0x00000043 bswap ecx 0x00000045 jmp 00007FD8348FDCA8h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8348A3243h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8347B1479h 0x00000069 jmp 00007FD8347BA25Ch 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD834B14262h 0x0000007d ja 00007FD834834410h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 104BA999 second address: 104BA9AB instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 not dh 0x00000006 rcl dx, cl 0x00000009 btr edx, 31h 0x0000000d xor cl, 00000015h 0x00000010 dec cl 0x00000012 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 107048C3 second address: 10764125 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD834919EE4h 0x00000007 inc cl 0x00000009 xchg dh, dl 0x0000000b test cl, al 0x0000000d sub ax, 00004E54h 0x00000011 neg cl 0x00000013 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 10775347 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 movsx ecx, ax 0x00000005 sub esi, 00000008h 0x0000000b mov dword ptr [esi], edx 0x0000000d test esi, esp 0x0000000f cmove ecx, ecx 0x00000012 mov dword ptr [esi+04h], eax 0x00000015 lea ebp, dword ptr [ebp-00000004h] 0x0000001b cmp edx, 303645EAh 0x00000021 setno ch 0x00000024 mov ecx, dword ptr [ebp+00h] 0x00000028 xor ecx, ebx 0x0000002a jmp 00007FD83520AD5Fh 0x0000002f dec ecx 0x00000030 test bp, ax 0x00000033 cmp esi, edi 0x00000035 neg ecx 0x00000037 sub ecx, 35BD5015h 0x0000003d jmp 00007FD835257943h 0x00000042 bswap ecx 0x00000044 inc ecx 0x00000045 cmp esp, 285E65A0h 0x0000004b stc 0x0000004c xor ecx, 0DBA1880h 0x00000052 xor ebx, ecx 0x00000054 add edi, ecx 0x00000056 jmp 00007FD83510E371h 0x0000005b jmp 00007FD8352FD384h 0x00000060 lea edx, dword ptr [esp+60h] 0x00000064 clc 0x00000065 cmc 0x00000066 cmp edi, edi 0x00000068 cmp esi, edx 0x0000006a jmp 00007FD83555BEE2h 0x0000006f ja 00007FD83527C090h 0x00000075 jmp edi 0x00000077 mov ecx, dword ptr [esi] 0x00000079 rdtsc
Source: C:\Windows\System32\loaddll32.exe RDTSC instruction interceptor: First address: 106FFBA9 second address: 106CCC9A instructions: 0x00000000 rdtsc 0x00000002 xor cx, bp 0x00000005 sub esi, 00000008h 0x0000000b or ecx, edx 0x0000000d shl ch, cl 0x0000000f mov dword ptr [esi], edx 0x00000011 setns ch 0x00000014 mov dword ptr [esi+04h], eax 0x00000017 and cx, 4E9Ch 0x0000001c dec ecx 0x0000001d lea ebp, dword ptr [ebp-00000004h] 0x00000023 not cx 0x00000026 mov ecx, dword ptr [ebp+00h] 0x0000002a xor ecx, ebx 0x0000002c jmp 00007FD8347C4BCBh 0x00000031 dec ecx 0x00000032 cmp ecx, ebx 0x00000034 neg ecx 0x00000036 cmp al, 0Dh 0x00000038 sub ecx, 35BD5015h 0x0000003e jmp 00007FD834867EC6h 0x00000043 bswap ecx 0x00000045 jmp 00007FD8348FDCA8h 0x0000004a inc ecx 0x0000004b cmc 0x0000004c xor ecx, 0DBA1880h 0x00000052 test edi, 5E2C497Ch 0x00000058 xor ebx, ecx 0x0000005a cmp si, di 0x0000005d jmp 00007FD8348A3243h 0x00000062 add edi, ecx 0x00000064 jmp 00007FD8347B1479h 0x00000069 jmp 00007FD8347BA25Ch 0x0000006e lea edx, dword ptr [esp+60h] 0x00000072 clc 0x00000073 cmc 0x00000074 cmp edi, edi 0x00000076 cmp esi, edx 0x00000078 jmp 00007FD834B14262h 0x0000007d ja 00007FD834834410h 0x00000083 jmp edi 0x00000085 mov ecx, dword ptr [esi] 0x00000087 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1352 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1440 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1968 Thread sleep time: -30000s >= -30000s Jump to behavior
Potential time zone aware malware
Source: C:\Windows\System32\loaddll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe System information queried: CurrentTimeZoneInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: rundll32.exe, 00000006.00000003.2162527962.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2272846682.000000000092C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2188743743.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.2462846067.000000000092D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2193010264.0000000000938000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2269266886.00000000008DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWHG
Source: rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2089845513.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^V
Source: loaddll32.exe, 00000000.00000003.3268403428.000000000157B000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784051732.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2784408684.0000000001578000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2384605793.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2172117641.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2089845513.00000000007E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2112938839.00000000007D8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000002.2384531834.000000000079E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2116006978.00000000007DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000003.00000003.2176613287.000000000079A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: loaddll32.exe, 00000000.00000003.2784051732.000000000156D000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2187385658.000000000156D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWI
Source: loaddll32.exe, 00000000.00000003.3268383072.000000000154A000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.3268089788.000000000153D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`,W
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 47.110.247.171 80 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\1Tkf1dTh5K.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1447639 Sample: 1Tkf1dTh5K.dll Startdate: 26/05/2024 Architecture: WINDOWS Score: 96 25 Multi AV Scanner detection for domain / URL 2->25 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 2 other signatures 2->31 7 loaddll32.exe 1 2->7         started        process3 signatures4 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->37 39 Overwrites code with function prologues 7->39 41 Tries to detect virtualization through RDTSC time measurements 7->41 10 rundll32.exe 7->10         started        14 rundll32.exe 7->14         started        16 cmd.exe 1 7->16         started        18 conhost.exe 7->18         started        process5 dnsIp6 23 47.110.247.171, 49704, 49705, 49706 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 10->23 43 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->43 45 Overwrites code with function prologues 10->45 47 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->47 49 Tries to detect virtualization through RDTSC time measurements 10->49 51 System process connects to network (likely due to code injection or exploit) 14->51 20 rundll32.exe 16->20         started        signatures7 process8 signatures9 33 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->33 35 Overwrites code with function prologues 20->35
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.110.247.171
 unknown China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://47.110.247.171/login/jizhi2_m.php true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://47.110.247.171/login/ver_m.php true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://47.110.247.171/login/t.php true
  • Avira URL Cloud: safe
 unknown