Analysis Report 6vywr0yn.php

Overview

General Information

Sample Name:	6vywr0yn.php (renamed file extension from php to dll)
Analysis ID:	326344
MD5:	24af4121e268839125e7dc0a8cfe57bb
SHA1:	68e59497ecca420d7ee86cc708a3046f8f8da300
SHA256:	e101211fc11db8ac7365aea768c7a42fae6d6148d273923cc3271aceaf204365
Most interesting Screenshot:

Detection

Score:	23
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Machine Learning detection for sample

Checks if the current process is being debugged

Enables debug privileges

One or more processes crash

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Tries to load missing DLLs

Classification

Signatures

AV Detection:

Machine Learning detection for sample

Source: 6vywr0yn.dll

Joe Sandbox ML: detected

System Summary:

One or more processes crash

Source: unknown

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 284

Sample file is different than original file name gathered from version info

Source: 6vywr0yn.dll

Binary or memory string: OriginalFilenameoe2hrfl.dllX vs 6vywr0yn.dll

Tries to load missing DLLs

Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Section loaded: ext-ms-win-xblauth-console-l1.dll	Jump to behavior

Source: classification engine

Classification label: sus23.winDLL@3/8@0/0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6536

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EE.tmp

Jump to behavior

Source: 6vywr0yn.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6vywr0yn.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 284
Source: unknown	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6536 -s 240

Source: 6vywr0yn.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: 6vywr0yn.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: EFRE65.pdb source: 6vywr0yn.dll
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658917823.0000000003249000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000003.00000003.649342719.0000000004FB2000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000003.00000003.649370029.0000000004FB5000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658928903.000000000320C000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdbk source: WerFault.exe, 00000003.00000003.649370029.0000000004FB5000.00000004.00000040.sdmp
Source:	Binary string: aumjrxmCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000003.00000002.653904672.0000000002A32000.00000004.00000010.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000003.00000003.647964693.0000000002DCA000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658949932.0000000003218000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000003.00000003.649342719.0000000004FB2000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000003.00000003.649365067.0000000004FB0000.00000004.00000040.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000003.00000003.647964693.0000000002DCA000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658949932.0000000003218000.00000004.00000001.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000003.00000003.647906130.0000000002DC4000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658934374.0000000003212000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: upwntdll.pdb source: WerFault.exe, 00000003.00000003.647729031.0000000004BA8000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000003.00000003.649328753.0000000004FE1000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.660612233.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000003.00000003.647843222.0000000002DBE000.00000004.00000001.sdmp, WerFault.exe, 00000005.00000003.658928903.000000000320C000.00000004.00000001.sdmp

Hooking and other Techniques for Hiding and Protection:

Stores large binary data to the registry

Source: C:\Windows\SysWOW64\WerFault.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000005.00000002.681033724.00000000031DB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW Area Connection* 6
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000005.00000002.681033724.00000000031DB000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000005.00000002.681144622.0000000004CD0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWpZ
Source: WerFault.exe, 00000003.00000002.654666487.0000000004C70000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.682254317.0000000005550000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\WerFault.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process token adjusted: Debug			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	326344
Product:	CloudBasic
Start time:	10:20:41
Start date:	03.12.2020
Sample:	6vywr0yn.php
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	24af4121e268839125e7dc0a8cfe57bb
SHA1:	68e59497ecca420d7ee86cc708a3046f8f8da300
SHA256:	e101211fc11db8ac7365aea768c7a42fae6d6148d273923cc3271aceaf204365
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_loaddll32.exe_ea4eb16da8f7d23ca4440a1c3ce58376e1da79a_b4806494_1338ee9c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	1E0E517C2D0A46C09748898C2050DAD8	9B3CE0A16AB3B879F488743AC8CA19DF62CE62E2	1DC958FF3F40E9AE3C39620D6E2895871A041A981B02D006E1504828E84DD1E8
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_1150404dfdf0cd1c8f6e63f1c5bced36b97e72a_b4806494_1674bdb8\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	02C86A7C66904914D22834E72CC79EED	E6E43C77245186FF7D4DE0653DDB63865E38D926	E19BF1B36FA28692D20EF77150FB0F4C98E0BDE16FA10D0E3AA3ADF49BFE0B63
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4EE.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 3 09:21:30 2020, 0x1205a4 type	771C819AABAE7AF1767EC41C6FFAF597	C4ACC48E195F11AA315EB836163B205BCDCC3B1D	BD0540BDF38667648D4D89CE90ACFE212165E5C9D862ED44B3B4BE829A8AEB28
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6A5.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	F647F15321517ED5E2FD2A76F6B2CD76	790561EC713D3564E4EA8A91B496B7C9D1586DE4	B4BDF0EE5815C1795BDFD73F2037CFE1FA39E834CF4B91C6B96C14A79309A957
C:\ProgramData\Microsoft\Windows\WER\Temp\WERBA01.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	9497050975452F4680AA09AEC5E37567	B857D1A0336C340B3D0211CD19A49CB59A4455F0	3818442B0673868E62DD6E9F08B85242E1AE1B26F96AA763C3BA0C01BB67EFFC
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC951.tmp.dmp	Mini DuMP crash report, 15 streams, Thu Dec 3 09:21:35 2020, 0x1205a4 type	6BF96D6C1C550EF0AD442AE30A54A125	6D0C44587B0CABAB209FCD6249638931A2771C96	759A98FD4D0703263F9FF134871C2E500C9432C3970F0B2E1AF9FE17491E7D24
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB46.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	27BB424056881AE77F3043D61DDAC3A9	C399A0662BAD559D10B88BF4D1631312E70D9C4D	8FC8BA7D672F5EF302A32B5D0395E93B677276EA4AC038F82BE33934EB232763
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCC9F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	13F8649D72259129C3418689D987E4C8	8F302186E37E984319F40265692EDC4450D4F508	46E7230C3AA97024EBAA2C6B95235D86A0D7CC4A6AD523BA8C24EA4A5DBD47E2

Analysis Report 6vywr0yn.php

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Screenshots

Behavior Graph

Network Map