Windows Analysis Report
z5zecWP4su.dll

Overview

General Information

Sample name:	z5zecWP4su.dll (renamed file extension from none to dll, renamed because original name is a hash value)
Original sample name:	ec1205a050693f750dd6a984b68eb2533539a34a5602744127d1b729b22f42fd
Analysis ID:	1467832
MD5:	20ee5ab5724339f16c19be92d0912bb6
SHA1:	73055a139a248cccb2b6f4360f072f7626b4ce7c
SHA256:	ec1205a050693f750dd6a984b68eb2533539a34a5602744127d1b729b22f42fd
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect virtualization through RDTSC time measurements

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Network Connection Initiated By Regsvr32.EXE

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: z5zecWP4su.dll

ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: loaddll64.exe, 00000000.00000002.3240584265.00007FF8A7E43000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_f3dc30d5-6

Source: z5zecWP4su.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048550 ET TROJAN Win32/MataDoor CnC Beacon Over UDP 192.168.2.5:53463 -> 10.45.6.7:13111

Source: z5zecWP4su.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: z5zecWP4su.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: z5zecWP4su.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: z5zecWP4su.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: z5zecWP4su.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: z5zecWP4su.dll	String found in binary or memory: http://ocsp.comodoca.com0
Source: z5zecWP4su.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: z5zecWP4su.dll	String found in binary or memory: https://sectigo.com/CPS0

PE / OLE file has an invalid certificate

Source: z5zecWP4su.dll

Static PE information: invalid certificate

Source: classification engine

Classification label: mal72.evad.winDLL@12/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Source: z5zecWP4su.dll

ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\z5zecWP4su.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior

Source: z5zecWP4su.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: z5zecWP4su.dll

Static file information: File size 6738848 > 1048576

Source: z5zecWP4su.dll

Static PE information: Raw size of .6L1 is bigger than: 0x100000 < 0x66a800

Source: z5zecWP4su.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .6L1

PE file contains sections with non-standard names

Source: z5zecWP4su.dll	Static PE information: section name: _RDATA
Source: z5zecWP4su.dll	Static PE information: section name: ..qC
Source: z5zecWP4su.dll	Static PE information: section name: ._a8
Source: z5zecWP4su.dll	Static PE information: section name: .6L1

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137DEB3 push ecx; retf	4_2_000000FA1137DF19
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EC24 push ecx; retf	4_2_000000FA1137EF39
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137D998 push ecx; retf	4_2_000000FA1137D999
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EA4B pushad ; ret	4_2_000000FA1137EA7C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EF3A push ecx; retf	4_2_000000FA1137EF39
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47E868 push ecx; retf	5_2_0000006D9B47E869
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47E37B pushad ; ret	5_2_0000006D9B47E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47D78A push ecx; retf	5_2_0000006D9B47D849

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 5888 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 5888 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory written: PID: 3568 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory written: PID: 3568 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 344 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 344 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 3560 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 3560 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 4052 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 4052 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A83E210B second address: 7FF8A83E213B instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll64.exe	Window / User API: threadDelayed 3985	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 3325	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 3582	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 2828	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 2828	Thread sleep time: -11955000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5312	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep time: -831000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep count: 3325 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep time: -9975000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6056	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep count: 3582 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep time: -10746000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -120000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 120000	Jump to behavior

Source: loaddll64.exe, 00000000.00000002.3240179330.000002132FB18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaaywP
Source: regsvr32.exe, 00000003.00000002.3240054781.0000000000980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: rundll32.exe, 00000007.00000002.3240226568.00000189F656F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Indirect: 0x7FF8A894F6CC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtOpenFile: Direct from: 0xE05E8FE9AA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Direct from: 0x282	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtUnmapViewOfSection: Direct from: 0xD0A58	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Indirect: 0x7FF8A7DB5129	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
10.45.6.7

AV Detection

Multi AV Scanner detection for submitted file

Source: z5zecWP4su.dll

ReversingLabs: Detection: 54%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: loaddll64.exe, 00000000.00000002.3240584265.00007FF8A7E43000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_f3dc30d5-6

Source: z5zecWP4su.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2048550 ET TROJAN Win32/MataDoor CnC Beacon Over UDP 192.168.2.5:53463 -> 10.45.6.7:13111

Source: z5zecWP4su.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: z5zecWP4su.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: z5zecWP4su.dll	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: z5zecWP4su.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: z5zecWP4su.dll	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: z5zecWP4su.dll	String found in binary or memory: http://ocsp.comodoca.com0
Source: z5zecWP4su.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: z5zecWP4su.dll	String found in binary or memory: https://sectigo.com/CPS0

PE / OLE file has an invalid certificate

Source: z5zecWP4su.dll

Static PE information: invalid certificate

Source: classification engine

Classification label: mal72.evad.winDLL@12/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3408:120:WilError_03

Source: C:\Windows\System32\loaddll64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Source: z5zecWP4su.dll

ReversingLabs: Detection: 54%

Source: unknown	Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\z5zecWP4su.dll"
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllMain	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\z5zecWP4su.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior

Source: z5zecWP4su.dll

Static PE information: Image base 0x180000000 > 0x60000000

Source: z5zecWP4su.dll

Static file information: File size 6738848 > 1048576

Source: z5zecWP4su.dll

Static PE information: Raw size of .6L1 is bigger than: 0x100000 < 0x66a800

Source: z5zecWP4su.dll

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .6L1

PE file contains sections with non-standard names

Source: z5zecWP4su.dll	Static PE information: section name: _RDATA
Source: z5zecWP4su.dll	Static PE information: section name: ..qC
Source: z5zecWP4su.dll	Static PE information: section name: ._a8
Source: z5zecWP4su.dll	Static PE information: section name: .6L1

Registers a DLL

Source: C:\Windows\System32\loaddll64.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\z5zecWP4su.dll

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137DEB3 push ecx; retf	4_2_000000FA1137DF19
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EC24 push ecx; retf	4_2_000000FA1137EF39
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137D998 push ecx; retf	4_2_000000FA1137D999
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EA4B pushad ; ret	4_2_000000FA1137EA7C
Source: C:\Windows\System32\rundll32.exe	Code function: 4_2_000000FA1137EF3A push ecx; retf	4_2_000000FA1137EF39
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47E868 push ecx; retf	5_2_0000006D9B47E869
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47E37B pushad ; ret	5_2_0000006D9B47E3AC
Source: C:\Windows\System32\rundll32.exe	Code function: 5_2_0000006D9B47D78A push ecx; retf	5_2_0000006D9B47D849

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 5888 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Memory written: PID: 5888 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory written: PID: 3568 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Memory written: PID: 3568 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 344 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 344 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 3560 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 3560 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 4052 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Memory written: PID: 4052 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 7FF8A83E210B second address: 7FF8A83E213B instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\regsvr32.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8A4E137 second address: 7FF8A8A4E155 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A89A1C6E second address: 7FF8A89A1C84 instructions: 0x00000000 rdtsc 0x00000002 lahf 0x00000003 dec eax 0x00000004 cwde 0x00000005 inc ecx 0x00000006 pop ebp 0x00000007 lahf 0x00000008 inc sp 0x0000000a movsx edx, ch 0x0000000d inc sp 0x0000000f movzx esi, dh 0x00000012 inc ecx 0x00000013 pop esp 0x00000014 inc ecx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8A2E926 second address: 7FF8A8A2E956 instructions: 0x00000000 rdtsc 0x00000002 sal bl, cl 0x00000004 inc ecx 0x00000005 pop ebp 0x00000006 inc cx 0x00000008 ror eax, FFFFFFBEh 0x0000000b inc ecx 0x0000000c shl bl, FFFFFFBFh 0x0000000f inc ecx 0x00000010 pop ecx 0x00000011 sbb ecx, ebx 0x00000013 inc bp 0x00000015 xor edi, edx 0x00000017 dec esp 0x00000018 arpl sp, sp 0x0000001a inc ecx 0x0000001b pop edi 0x0000001c inc ecx 0x0000001d test cl, cl 0x0000001f ror bp, FFA4h 0x00000023 clc 0x00000024 popfd 0x00000025 movsx edx, cx 0x00000028 bswap dx 0x0000002b pop esi 0x0000002c dec eax 0x0000002d movsx ecx, bx 0x00000030 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8413C20 second address: 7FF8A8413C25 instructions: 0x00000000 rdtsc 0x00000002 cwde 0x00000003 inc ecx 0x00000004 pop ebp 0x00000005 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A8413C25 second address: 7FF8A8413C2D instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 mov dl, 89h 0x00000005 lahf 0x00000006 inc ecx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A83749A5 second address: 7FF8A83749AB instructions: 0x00000000 rdtsc 0x00000002 dec esp 0x00000003 arpl ax, bp 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Windows\System32\loaddll64.exe	RDTSC instruction interceptor: First address: 7FF8A840AF78 second address: 7FF8A840AF96 instructions: 0x00000000 rdtsc 0x00000002 cbw 0x00000004 inc ax 0x00000006 movzx eax, dh 0x00000009 inc ecx 0x0000000a pop eax 0x0000000b cwd 0x0000000d inc cx 0x0000000f bswap edx 0x00000011 inc ecx 0x00000012 pop ecx 0x00000013 dec eax 0x00000014 arpl ax, si 0x00000016 inc ecx 0x00000017 pop ebp 0x00000018 dec eax 0x00000019 cdq 0x0000001a inc eax 0x0000001b setns bh 0x0000001e rdtsc

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll64.exe	Window / User API: threadDelayed 3985	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Window / User API: threadDelayed 3325	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Window / User API: threadDelayed 3582	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 2828	Thread sleep time: -54000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 2828	Thread sleep time: -11955000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 3480	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe TID: 5312	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep count: 277 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep time: -831000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep count: 3325 > 30	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1600	Thread sleep time: -9975000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6788	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6056	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -360000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep count: 3582 > 30	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 4480	Thread sleep time: -10746000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\rundll32.exe TID: 736	Thread sleep time: -120000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe	Last function: Thread delayed
Source: C:\Windows\System32\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 120000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Thread delayed: delay time: 120000	Jump to behavior

Source: loaddll64.exe, 00000000.00000002.3240179330.000002132FB18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllaaywP
Source: regsvr32.exe, 00000003.00000002.3240054781.0000000000980000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: rundll32.exe, 00000007.00000002.3240226568.00000189F656F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"

Source: C:\Windows\System32\loaddll64.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process queried: DebugPort	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Indirect: 0x7FF8A894F6CC	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtOpenFile: Direct from: 0xE05E8FE9AA	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Direct from: 0x282	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtUnmapViewOfSection: Direct from: 0xD0A58	Jump to behavior
Source: C:\Windows\System32\loaddll64.exe	NtProtectVirtualMemory: Indirect: 0x7FF8A7DB5129	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\z5zecWP4su.dll",#1

Jump to behavior

ID:	1467832
Product:	CloudBasic
Start time:	21:06:00
Start date:	04.07.2024
Sample:	z5zecWP4su
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	20ee5ab5724339f16c19be92d0912bb6
SHA1:	73055a139a248cccb2b6f4360f072f7626b4ce7c
SHA256:	ec1205a050693f750dd6a984b68eb2533539a34a5602744127d1b729b22f42fd
Filetype:	Win64 Dynamic Link Library (generic) (102004/3) 86.43%

Windows Analysis Report
z5zecWP4su.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report z5zecWP4su.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Windows Analysis Report
z5zecWP4su.dll