Windows Analysis Report
rcM4Cx31Iy.dll

Overview

General Information

Sample name: rcM4Cx31Iy.dll
renamed because original name is a hash value
Original sample name: 5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211.dll
Analysis ID: 1567176
MD5: da2334af47d1daf91c6a7921875f9526
SHA1: acc6e16ec59360157741fd0d72497d83f40dd355
SHA256: 5e9bb5d912d3b94dfab58453437a9305eca1df9e84abdb64610b46660ed54211
Tags: dllFakeMp3user-BruceAnn2
Infos:

Detection

Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to infect the boot sector
Creates an undocumented autostart registry key
Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SIDT)
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to search for IE or Outlook window (often done to steal information)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: rcM4Cx31Iy.dll ReversingLabs: Detection: 36%
Uses 32bit PE files
Source: rcM4Cx31Iy.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001715A _snwprintf,_snwprintf,FindFirstFileW,wcscmp,wcscmp,wcscmp,_snwprintf,_snwprintf,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 6_2_1001715A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C553 memset,FindFirstFileW,FindClose, 6_2_1000C553
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000A13F GetTickCount,memset,memset,ResetEvent,InternetReadFileExA,SetEvent,InternetReadFile,GetLastError, 6_2_1000A13F
Source: rcM4Cx31Iy.dll String found in binary or memory: <a href="http://yahoo.cn/" target="_blank">http://www.yahoo.cn/</a> equals www.yahoo.com (Yahoo)
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://127.0.0.1/%s
Source: rcM4Cx31Iy.dll String found in binary or memory: http://bbs.iesuper.com
Source: rcM4Cx31Iy.dll String found in binary or memory: http://bbs.qihoo.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://bt.fkee.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://bt.fkee.com/search.aspx?q=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://d.sogou.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://d.sogou.com/music.so?pf=&query=
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://data.alexa.com/data/gWjM61Z9yy83rr?cli=10&dat=snba&ver=7.2&cdt=alx_vw%3D20%26wid%3D11092%26ac
Source: rcM4Cx31Iy.dll String found in binary or memory: http://download.pchome.net/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://download.pchome.net/php/search.php?pid=0&searchstr=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://download.pcpop.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://download.pcpop.com/List.html?printing=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://find.verycd.com/folders/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://mp3.baidu.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://mp3.baidu.com/m?ct=134217728&word=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://search.blogcn.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.blogcn.com/BlogResult.aspx?SearchType=2&txtQuery=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.btchina.net/search.php?query=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.crsky.com/search.asp?keyword=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.live.com/results.aspx?q=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://search.sogua.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.sogua.com/search.asp?key=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.tuotu.com/?key=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://search.tvsou.com/?KeyWords=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://shooter.cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://shooter.cn/sub/?searchword=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://so.bbs.qihoo.com/index.html?kw=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://so.mydrivers.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://so.mydrivers.com/drivers/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://so.xunlei.com/search?search=
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://try.iesuper.com/client/webinfo.htm
Source: rundll32.exe String found in binary or memory: http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s
Source: rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://update.iesuper.com/update/iesuper.ini?fn=%s&version=%s&u=%s1.0.1.40OEMIDneedfileurl%s%s%spath
Source: rundll32.exe String found in binary or memory: http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://weather.tq121.com.cn/detail.php?city=
Source: rundll32.exe String found in binary or memory: http://www.alexa.com/data/details/traffic_details?url=%s
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.baidu.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.baidu.com/baidu?word=
Source: rundll32.exe, rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_2_dg
Source: rundll32.exe String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_3_dg
Source: rundll32.exe, 00000006.00000002.1918858878.000000001001E000.00000008.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.baidu.com/baidu?word=%s&tn=sper_3_dgEDIT_CLASSPROCInstallDoneToolbarWindow32Search
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.btchina.net/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.crsky.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.google.com/
Source: rundll32.exe String found in binary or memory: http://www.google.com/search?client=navclient-auto&features=Rank:&q=info:%s&ch=%s
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.google.com/search?q=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.iciba.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.iciba.com/search?s=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.iesuper.com
Source: rundll32.exe String found in binary or memory: http://www.iesuper.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.iesuper.com/cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.iesuper.com/cn/hl/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.iesuper.com/help.htm
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.kooxoo.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.kooxoo.com/search?q=
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.live.com.cn/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.tq121.com.cn/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.tuotu.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.tvsou.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.verycd.com/
Source: rcM4Cx31Iy.dll String found in binary or memory: http://www.xunlei.com/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://www.yahoo.cn/
Source: rundll32.exe, 00000006.00000002.1918944309.00000000100D8000.00000002.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: http://yahoo.cn/
Source: rundll32.exe, 00000006.00000002.1918879182.0000000010020000.00000004.00000001.01000000.00000003.sdmp, rcM4Cx31Iy.dll String found in binary or memory: https:///://IESuper_PROPIMGTahomaTAB...Google:%s
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10013F56 GetKeyState,GetKeyState,GetKeyState,GetMessagePos,ScreenToClient,wcslen,OpenClipboard,EmptyClipboard,lstrlenW,WideCharToMultiByte,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,GlobalFree,LoadStringW,GetForegroundWindow,MessageBoxW,LoadStringW,_snwprintf,SysAllocString,SysFreeString,Sleep, 6_2_10013F56
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10013F56 GetKeyState,GetKeyState,GetKeyState,GetMessagePos,ScreenToClient,wcslen,OpenClipboard,EmptyClipboard,lstrlenW,WideCharToMultiByte,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,GlobalFree,LoadStringW,GetForegroundWindow,MessageBoxW,LoadStringW,_snwprintf,SysAllocString,SysFreeString,Sleep, 6_2_10013F56
Potential key logger detected (key state polling based)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002839 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState, 6_2_10002839
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10005095 GetPropW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetWindowTextW,_snwprintf,SetWindowTextW,CallWindowProcW, 6_2_10005095
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001EF3 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,SysAllocString,_wtoi,SysFreeString,_wcsicmp,SysAllocString,GetCursorPos,ScreenToClient,SysFreeString,SysFreeString,SysFreeString, 6_2_10001EF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10013F56 GetKeyState,GetKeyState,GetKeyState,GetMessagePos,ScreenToClient,wcslen,OpenClipboard,EmptyClipboard,lstrlenW,WideCharToMultiByte,strlen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard,GlobalFree,LoadStringW,GetForegroundWindow,MessageBoxW,LoadStringW,_snwprintf,SysAllocString,SysFreeString,Sleep, 6_2_10013F56
Contains functionality to communicate with device drivers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10010ADA: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle, 6_2_10010ADA
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10012267 6_2_10012267
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100160B6 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10017FA0 appears 52 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656
Sample file is different than original file name gathered from version info
Source: rcM4Cx31Iy.dll Binary or memory string: OriginalFilenameiesuper.dll vs rcM4Cx31Iy.dll
Uses 32bit PE files
Source: rcM4Cx31Iy.dll Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DLL
Source: classification engine Classification label: mal60.winDLL@15/5@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000ADD3 GetTickCount,PathGetDriveNumberW,GetDiskFreeSpaceExW,LdrInitializeThunk,CreateFileW,__aulldiv, 6_2_1000ADD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000BA33 CoInitialize,CoCreateInstance,SysAllocString,SysFreeString,_wcsicmp,_snwprintf,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,memset,SysFreeString,SysFreeString,CoUninitialize,DeleteFileW, 6_2_1000BA33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10016972 FindResourceW,LoadResource,SizeofResource,LockResource, 6_2_10016972
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7500
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c569dea6-bd4f-496c-865e-878ae600b039 Jump to behavior
Source: rcM4Cx31Iy.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Source: rcM4Cx31Iy.dll ReversingLabs: Detection: 36%
Source: rundll32.exe String found in binary or memory: http://update.iesuper.com/update/installdone.htm?fn=%s&version=%s&u=%s
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 656
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\rcM4Cx31Iy.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44EC053A-400F-11D0-9DCD-00A0C90391D3}\InprocServer32 Jump to behavior
PE file contains sections with non-standard names
Source: rcM4Cx31Iy.dll Static PE information: section name: .phoenix
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\rcM4Cx31Iy.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10018000 push eax; ret 6_2_1001802E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10017FA0 push eax; ret 6_2_10017FBE

Persistence and Installation Behavior
barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exe Code function: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle, \\.\PhysicalDrive%d 6_2_10010ADA

Boot Survival
barindex
Contains functionality to infect the boot sector
Source: C:\Windows\SysWOW64\rundll32.exe Code function: sprintf,lstrlenA,MultiByteToWideChar,CreateFileW,memset,DeviceIoControl,memset,memset,strcat,CloseHandle, \\.\PhysicalDrive%d 6_2_10010ADA
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NULL Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NULL Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NoExplorer Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A49F431-2A2E-41a5-9080-0F41D1A3AEC2} NoExplorer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to detect virtual machines (SIDT)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10014ED8 sidt fword ptr [100D51C8h] 6_2_10014ED8
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 0.1 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1001715A _snwprintf,_snwprintf,FindFirstFileW,wcscmp,wcscmp,wcscmp,_snwprintf,_snwprintf,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 6_2_1001715A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000C553 memset,FindFirstFileW,FindClose, 6_2_1000C553
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000A074 GetTickCount,LdrInitializeThunk,InternetSetOptionW, 6_2_1000A074
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10007C13 OutputDebugStringA,GetLastError, 6_2_10007C13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10014ED8 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 6_2_10014ED8
Contains functionality to launch a program with higher privileges
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000381A _snwprintf,wcsrchr,wcsncpy,DeleteFileW,LoadStringW,GetForegroundWindow,MessageBoxW,GetModuleFileNameW,GetShortPathNameW,_snwprintf,ShellExecuteW,PostThreadMessageW, 6_2_1000381A
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\rcM4Cx31Iy.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000E992 GetSystemTime,SystemTimeToFileTime,CommitUrlCacheEntryW, 6_2_1000E992
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10007B74 GetVersion,GetVersion,GetFileAttributesW,GetModuleHandleA,GetProcAddress,GetProcAddress,GetVersion,GetProcAddress, 6_2_10007B74
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe
Contains functionality to search for IE or Outlook window (often done to steal information)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10006D83 GetClassNameW,wcscmp,EnumChildWindows,FindWindowExW,FindWindowExW,FindWindowExW, 6_2_10006D83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000CF69 FindWindowExW,FindWindowExW,FindWindowExW,PostMessageW, 6_2_1000CF69
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1567176 Sample: rcM4Cx31Iy.dll Startdate: 03/12/2024 Architecture: WINDOWS Score: 60 23 Multi AV Scanner detection for submitted file 2->23 25 Sigma detected: Potential Persistence Via COM Hijacking From Suspicious Locations 2->25 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 42 7->11         started        14 rundll32.exe 7->14         started        16 3 other processes 7->16 signatures5 18 rundll32.exe 9->18         started        29 Creates an undocumented autostart registry key 11->29 21 WerFault.exe 22 16 14->21         started        process6 signatures7 27 Contains functionality to infect the boot sector 18->27
No contacted IP infos