Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: CobaltStrike {"BeaconType": ["HTTPS"], "Port": 2003, "SleepTime": 30000, "MaxGetSize": 1398102, "Jitter": 20, "C2Server": "154.82.113.115,/owa/", "HttpPostUri": "/OWA/", "Malleable_C2_Instructions": ["Base64 URL-safe decode"], "HttpGet_Verb": "GET", "HttpPost_Verb": "GET", "HttpPostChunk": 96, "Spawnto_x86": "%windir%\\syswow64\\gpupdate.exe", "Spawnto_x64": "%windir%\\sysnative\\gpupdate.exe", "CryptoScheme": 0, "Proxy_Behavior": "Use IE settings", "Watermark": 987654321, "bStageCleanup": "True", "bCFGCaution": "True", "KillDate": 0, "bProcInject_StartRWX": "True", "bProcInject_UseRWX": "False", "bProcInject_MinAllocSize": 16700, "ProcInject_PrependAppend_x86": "Empty", "ProcInject_PrependAppend_x64": "Empty", "ProcInject_Execute": ["ntdll.dll:RtlUserThreadStart", "SetThreadContext", "NtQueueApcThread-s", "kernel32.dll:LoadLibraryA", "RtlCreateUserThread"], "ProcInject_AllocationMethod": "NtMapViewOfSection", "bUsesCookies": "True", "HostHeader": ""} |
Source: https://154.82.113.115/ |
Virustotal: Detection: 9% |
Perma Link |
Source: 154.82.113.115 |
Virustotal: Detection: 9% |
Perma Link |
Source: LX4CUQO8qI.dll |
ReversingLabs: Detection: 65% |
Source: LX4CUQO8qI.dll |
Virustotal: Detection: 60% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 97.4% probability |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096D7AA CryptAcquireContextA,CryptAcquireContextA,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
0_2_0096D7AA |
Source: LX4CUQO8qI.dll |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL |
Source: LX4CUQO8qI.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096480C _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, |
0_2_0096480C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096925B _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose, |
0_2_0096925B |
Source: Network traffic |
Suricata IDS: 2035651 - Severity 1 - ET MALWARE Meterpreter or Other Reverse Shell SSL Cert : 154.82.113.115:2003 -> 192.168.2.4:49730 |
Source: Malware configuration extractor |
URLs: 154.82.113.115 |
Source: global traffic |
TCP traffic: 192.168.2.4:49730 -> 154.82.113.115:2003 |
Source: Joe Sandbox View |
ASN Name: ROOTNETWORKSUS ROOTNETWORKSUS |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49750 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49751 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49744 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49730 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49747 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49754 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49749 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49739 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49748 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49743 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49738 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49752 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49741 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49746 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49753 -> 154.82.113.115:2003 |
Source: Network traffic |
Suricata IDS: 2028765 - Severity 3 - ET JA3 Hash - [Abuse.ch] Possible Dridex : 192.168.2.4:49742 -> 154.82.113.115:2003 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 154.82.113.115 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096296B _memset,__snprintf,__snprintf,__snprintf,HttpOpenRequestA,HttpSendRequestA,InternetCloseHandle,InternetQueryDataAvailable,InternetReadFile,InternetCloseHandle,InternetCloseHandle, |
0_2_0096296B |
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: loaddll32.exe, 00000000.00000003.2094032497.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2093978733.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A72000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1794866952.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab( |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.2093978733.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000003.1794866952.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enlJ |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115/ |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A72000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115:2003/ |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115:2003/hy |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A4E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115:2003/oft |
Source: loaddll32.exe, 00000000.00000002.2936891536.000000000129C000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQX |
Source: loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://154.82.113.115:2003/owa/?wa=FPR-lSl93sxmVlVCOAlZFbF7o1dHykWQXURFaS8Dwbgi6FyenzDlocbqwA4aTXi6 |
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the API address lookup function leverage by metasploit shellcode Author: unknown |
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families. Author: unknown |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00964065 CreateProcessAsUserA,GetLastError,GetLastError,GetLastError,CreateProcessA,GetLastError, |
0_2_00964065 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_01098954 |
0_3_01098954 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_010A5DB8 |
0_3_010A5DB8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_010A2470 |
0_3_010A2470 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_010A57E8 |
0_3_010A57E8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_0109365C |
0_3_0109365C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009838D1 |
0_2_009838D1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009840FD |
0_2_009840FD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00983028 |
0_2_00983028 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00986145 |
0_2_00986145 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00986970 |
0_2_00986970 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00974214 |
0_2_00974214 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009863A0 |
0_2_009863A0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00985B20 |
0_2_00985B20 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00983CDD |
0_2_00983CDD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009834FD |
0_2_009834FD |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0097950C |
0_2_0097950C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_0108CD8D |
0_3_0108CD8D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 00979AD4 appears 39 times |
|
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 01098F1C appears 35 times |
|
Source: LX4CUQO8qI.dll |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED, DLL |
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000002.2936432455.0000000000995000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_7bc0f998 os = windows, severity = x86, description = Identifies the API address lookup function leverage by metasploit shellcode, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = fdb5c665503f07b2fc1ed7e4e688295e1222a500bfb68418661db60c8e75e835, id = 7bc0f998-7014-4883-8a56-d5ee00c15aed, last_modified = 2021-08-23 |
Source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Metasploit_c9773203 os = windows, severity = x86, description = Identifies the 64 bit API hashing function used by Metasploit. This has been re-used by many other malware families., creation_date = 2021-04-07, scan_context = file, memory, reference = https://github.com/rapid7/metasploit-framework/blob/04e8752b9b74cbaad7cb0ea6129c90e3172580a2/external/source/shellcode/windows/x64/src/block/block_api.asm, license = Elastic License v2, threat_name = Windows.Trojan.Metasploit, fingerprint = afde93eeb14b4d0c182f475a22430f101394938868741ffa06445e478b6ece36, id = c9773203-6d1e-4246-a1e0-314217e0207a, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.troj.evad.winDLL@14/4@0/1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009637C3 LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, |
0_2_009637C3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00969031 _memset,GetCurrentProcess,CreateToolhelp32Snapshot,Process32First,ProcessIdToSessionId,Process32Next, |
0_2_00969031 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7712:120:WilError_03 |
Source: LX4CUQO8qI.dll |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
Source: LX4CUQO8qI.dll |
ReversingLabs: Detection: 65% |
Source: LX4CUQO8qI.dll |
Virustotal: Detection: 60% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllGetClassObject |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllMain |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\LX4CUQO8qI.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: cryptnet.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: cabinet.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: aclayers.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: mpr.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: LX4CUQO8qI.dll |
Static PE information: Image base 0x6cfc0000 > 0x60000000 |
Source: LX4CUQO8qI.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009809A5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, |
0_2_009809A5 |
Source: LX4CUQO8qI.dll |
Static PE information: section name: .eh_fram |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\LX4CUQO8qI.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_01096248 push eax; ret |
0_3_0109624F |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_0109572F push edi; ret |
0_3_01095730 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_01096F68 push dword ptr [ecx-75h]; iretd |
0_3_01096F70 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_01098F61 push ecx; ret |
0_3_01098F74 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0098ABE1 push FFFFFFCBh; retf |
0_2_0098ABE5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00979B19 push ecx; ret |
0_2_00979B2C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0098932C pushfd ; ret |
0_2_00989331 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00976E00 push eax; ret |
0_2_00976E07 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0391061C push eax; mov dword ptr [esp], ebx |
0_2_0391065F |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00963374 |
0_2_00963374 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00966C1F |
0_2_00966C1F |
Source: C:\Windows\System32\loaddll32.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Windows\System32\loaddll32.exe |
Evasive API call chain: GetLocalTime,DecisionNodes |
Source: C:\Windows\System32\loaddll32.exe |
Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes |
Source: C:\Windows\System32\loaddll32.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Windows\System32\loaddll32.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Windows\System32\loaddll32.exe |
API coverage: 8.2 % |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00966C1F |
0_2_00966C1F |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096480C _malloc,_memset,_strncmp,GetCurrentDirectoryA,FindFirstFileA,GetLastError,FileTimeToSystemTime,SystemTimeToTzSpecificLocalTime,FindNextFileA,FindClose, |
0_2_0096480C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096925B _malloc,__snprintf,FindFirstFileA,_malloc,__snprintf,FindNextFileA,FindClose, |
0_2_0096925B |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: loaddll32.exe, 00000000.00000002.2936517291.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, loaddll32.exe, 00000000.00000002.2936517291.0000000000A28000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Windows\System32\loaddll32.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0391047E LdrInitializeThunk, |
0_2_0391047E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0097EB2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0097EB2E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_009809A5 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, |
0_2_009809A5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_010B479D mov eax, dword ptr fs:[00000030h] |
0_3_010B479D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_3_010B47AA mov eax, dword ptr fs:[00000030h] |
0_3_010B47AA |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_039101A1 mov eax, dword ptr fs:[00000030h] |
0_2_039101A1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_039101AE mov eax, dword ptr fs:[00000030h] |
0_2_039101AE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00984B20 CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, |
0_2_00984B20 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00981150 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00981150 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0097EB2E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0097EB2E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0097AD12 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_0097AD12 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096CAAA LogonUserA,GetLastError,ImpersonateLoggedOnUser,GetLastError, |
0_2_0096CAAA |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\LX4CUQO8qI.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096CC7A GetCurrentProcessId,AllocateAndInitializeSid,CheckTokenMembership,FreeSid, |
0_2_0096CC7A |
Source: C:\Windows\System32\loaddll32.exe |
Code function: GetLocaleInfoA, |
0_2_009846F0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00963873 CreateNamedPipeA, |
0_2_00963873 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00978876 GetSystemTimeAsFileTime,__aulldiv, |
0_2_00978876 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00966CD1 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf, |
0_2_00966CD1 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00966CD1 GetUserNameA,GetComputerNameA,GetModuleFileNameA,_strrchr,GetVersionExA,__snprintf, |
0_2_00966CD1 |
Source: C:\Windows\System32\loaddll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 00000000.00000003.1756940749.0000000001080000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: loaddll32.exe PID: 7704, type: MEMORYSTR |
Source: Yara match |
File source: 0.2.loaddll32.exe.960000.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.loaddll32.exe.960000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.2936432455.0000000000960000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00967293 socket,htons,ioctlsocket,closesocket,bind,listen, |
0_2_00967293 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_00967375 htonl,htons,socket,closesocket,bind,ioctlsocket, |
0_2_00967375 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_0096D5DB socket,closesocket,htons,bind,listen, |
0_2_0096D5DB |