popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

NxYwE8FyaIw3Kgile

UPX Malicious Library PE64 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us July 9, 2022, 1:40 p.m. July 9, 2022, 1:51 p.m.
Size 269.0KB
Type PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5 ea0d73a3215825620901196d086e8887
SHA256 dd42e18b12a3bf58d968e137152051e90a09024162816dfe2dd535ad54e2e875
CRC32 D2096C5E
ssdeep 6144:HhuDhkX/MAXwTCFQi+2JW/PAiikmKx770v/5kjjB589:HhuDCvM0rQi1W/PAiikPNm+jD
Yara
  • IsDLL - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • PE_Header_Zero - PE File Signature
  • IsPE64 - (no description)

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
104.168.155.143 Active Moloch
144.202.108.116 Active Moloch
149.56.131.28 Active Moloch
164.124.101.2 Active Moloch
164.90.222.65 Active Moloch
172.105.226.75 Active Moloch
196.218.30.83 Active Moloch
207.148.79.14 Active Moloch
213.239.212.5 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49384 -> 104.168.155.143:8080 2404301 ET CNC Feodo Tracker Reported CnC Server group 2 A Network Trojan was detected
TCP 192.168.56.103:49381 -> 164.90.222.65:443 2404307 ET CNC Feodo Tracker Reported CnC Server group 8 A Network Trojan was detected
TCP 192.168.56.103:49385 -> 213.239.212.5:443 2404314 ET CNC Feodo Tracker Reported CnC Server group 15 A Network Trojan was detected
TCP 192.168.56.103:49385 -> 213.239.212.5:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 213.239.212.5:443 -> 192.168.56.103:49387 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49390 -> 172.105.226.75:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49394 -> 149.56.131.28:8080 2404306 ET CNC Feodo Tracker Reported CnC Server group 7 A Network Trojan was detected
TCP 192.168.56.103:49394 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49389 -> 172.105.226.75:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 192.168.56.103:49393 -> 149.56.131.28:8080 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic
TCP 149.56.131.28:8080 -> 192.168.56.103:49395 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49383 -> 144.202.108.116:8080 2404304 ET CNC Feodo Tracker Reported CnC Server group 5 A Network Trojan was detected
TCP 172.105.226.75:8080 -> 192.168.56.103:49391 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49386 -> 213.239.212.5:443 2028401 ET JA3 Hash - Possible Malware - Various Trickbot/Kovter/Dridex Unknown Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73f477b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x755efd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x755efd57
rundll32+0x393f @ 0x63393f
rundll32+0x247a @ 0x63247a
rundll32+0x1baf @ 0x631baf
rundll32+0x12e8 @ 0x6312e8
rundll32+0x1901 @ 0x631901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73d23f46
registers.esp: 1305164
registers.edi: 0
registers.eax: 1943158598
registers.ebp: 1305204
registers.edx: 0
registers.ebx: 0
registers.esi: 1943158598
registers.ecx: 8129896
1 0 0

__exception__

 stacktrace: 
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75596d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x75596de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x75596e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x772c011a
DialogBoxIndirectParamAorW+0x108 SetDlgItemTextW-0x44 user32+0x3cf5c @ 0x755bcf5c
SoftModalMessageBox+0x757 MessageBoxTimeoutW-0x391 user32+0x6f73c @ 0x755ef73c
SoftModalMessageBox+0xa33 MessageBoxTimeoutW-0xb5 user32+0x6fa18 @ 0x755efa18
MessageBoxTimeoutW+0x52 MessageBoxTimeoutA-0x9 user32+0x6fb1f @ 0x755efb1f
New_user32_MessageBoxTimeoutW@24+0x137 New_user32_RegisterHotKey@16-0x80 @ 0x73f477b7
MessageBoxExW+0x1b MessageBoxA-0x9 user32+0x6fd15 @ 0x755efd15
MessageBoxW+0x18 SetSysColors-0x9 user32+0x6fd57 @ 0x755efd57
rundll32+0x393f @ 0x63393f
rundll32+0x247a @ 0x63247a
rundll32+0x1baf @ 0x631baf
rundll32+0x12e8 @ 0x6312e8
rundll32+0x1901 @ 0x631901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x73d23f46
registers.esp: 1305164
registers.edi: 0
registers.eax: 1943158598
registers.ebp: 1305204
registers.edx: 0
registers.ebx: 0
registers.esi: 1943158598
registers.ecx: 8129896
1 0 0

__exception__

 stacktrace: 
CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x754ad08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x754a964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75494d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75496f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x7549e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75496002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75495fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x754949e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75495a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x772e9a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77308f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77308e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x76877a25
rundll32+0x135c @ 0x63135c
rundll32+0x1901 @ 0x631901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x754c3ef4
registers.esp: 1307808
registers.edi: 0
registers.eax: 32907616
registers.ebp: 1307836
registers.edx: 1
registers.ebx: 0
registers.esi: 2956952
registers.ecx: 1943025020
1 0 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2920
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2920
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001cd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001da0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001db0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1580
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2416
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2416
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001dd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2348
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001da0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2432
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001db0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2676
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001ca0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2676
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001cb0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000003f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2308
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001ea0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2960
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2324
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2324
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c50000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000004f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2632
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000500000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001ca0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2884
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001f40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001e80000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001e90000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2588
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2588
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2052
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3032
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3052
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3052
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001c40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3056
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3056
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001d40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000010012000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefee30000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007feff10d000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3612
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001dd0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3612
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000001de0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefcf27000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd6af000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefd5d9000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076cf0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076eee000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3612
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076bc0000
process_handle: 0xffffffffffffffff
1 0 0
description explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 10219286528
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0
cmdline C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhdXxV\hyoafnKWtJAy.dll"
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: smss.exe
process_identifier: 232
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: lsass.exe
process_identifier: 456
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: lsm.exe
process_identifier: 464
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 576
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 720
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 844
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 992
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 348
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: spoolsv.exe
process_identifier: 1064
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 1120
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: dwm.exe
process_identifier: 1208
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: explorer.exe
process_identifier: 1236
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 1332
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: svchost.exe
process_identifier: 1728
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: pw.exe
process_identifier: 1860
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: SearchIndexer.exe
process_identifier: 1904
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: SearchProtocolHost.exe
process_identifier: 744
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: SearchFilterHost.exe
process_identifier: 1984
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: SearchProtocolHost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: mobsync.exe
process_identifier: 1588
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: pw.exe
process_identifier: 2084
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: taskhost.exe
process_identifier: 2116
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: sdclt.exe
process_identifier: 2140
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: cmd.exe
process_identifier: 2248
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: conhost.exe
process_identifier: 2256
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: pw.exe
process_identifier: 2332
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: rundll32.exe
process_identifier: 2136
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: rundll32.exe
process_identifier: 2992
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000138
process_name: rundll32.exe
process_identifier: 2884
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 2304
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 2728
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 2872
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3124
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3216
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: rundll32.exe
process_identifier: 3596
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000154
process_name: regsvr32.exe
process_identifier: 3612
1 1 0
section {u'size_of_data': u'0x0002be00', u'virtual_address': u'0x0001b000', u'entropy': 7.848244115365133, u'name': u'.rsrc', u'virtual_size': u'0x0002bc80'} entropy 7.84824411537 description A section with a high entropy has been found
entropy 0.654850746269 description Overall entropy of this PE file is high
process regsvr32.exe
process rundll32.exe
host 104.168.155.143
host 144.202.108.116
host 149.56.131.28
host 164.90.222.65
host 172.105.226.75
host 196.218.30.83
host 207.148.79.14
host 213.239.212.5
service_name hyoafnKWtJAy.dll service_path C:\Windows\System32\regsvr32.exe "C:\Windows\system32\RPhdXxV\hyoafnKWtJAy.dll"
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: hyoafnKWtJAy.dll
filepath: C:\Windows\System32\regsvr32.exe "C:\Windows\system32\RPhdXxV\hyoafnKWtJAy.dll"
service_name: hyoafnKWtJAy.dll
filepath_r: C:\Windows\system32\regsvr32.exe "C:\Windows\system32\RPhdXxV\hyoafnKWtJAy.dll"
desired_access: 2
service_handle: 0x00000000003951c0
error_control: 0
service_type: 16
service_manager_handle: 0x000000000036ed20
1 3756480 0
Elastic malicious (moderate confidence)
DrWeb Trojan.Emotet.1203
FireEye Generic.mg.ea0d73a321582562
McAfee Emotet-FTY!EA0D73A32158
Cyren W64/Emotet.ELT.gen!Eldorado
ESET-NOD32 a variant of Win64/Kryptik.DHR
Kaspersky Trojan.Win64.Strab.n
Avast BotX-gen [Trj]
TrendMicro TrojanSpy.Win64.EMOTET.SMYXCFC
McAfee-GW-Edition Emotet-FTY!EA0D73A32158
ZoneAlarm Trojan.Win64.Strab.n
Microsoft Trojan:Win64/Emotet.BY!MTB
AhnLab-V3 Malware/Win.FTY.R503424
Rising Trojan.Kryptik!8.8 (C64:YzY0OqasBLIYLZhS)
Fortinet W64/Emotet.F1DB!tr
AVG BotX-gen [Trj]
file C:\Windows\System32\RPhdXxV\hyoafnKWtJAy.dll:Zone.Identifier
dead_host 144.202.108.116:8080
dead_host 207.148.79.14:8080
dead_host 164.90.222.65:443
dead_host 196.218.30.83:443
dead_host 104.168.155.143:8080