Analysis Report P0DNoD3M7G

Overview

General Information

Sample Name: P0DNoD3M7G (renamed file extension from none to dll)
Analysis ID: 392875
MD5: 6132233b774e373cf727e90a84fbbd14
SHA1: b32ab2153285df6a2e3bdd130f966426c538726e
SHA256: 34bfcb0fa8c5d49dd601ea9134bb77ed4d2be8bd6782f713183faed72ffcdfaa
Tags: 40112Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex Dropper
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Dridex dropper found
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.70a90000.3.unpack Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["8.210.53.215:443", "72.249.22.245:2303", "188.40.137.206:8172"], "RC4 keys": ["RL2wu3FXHUGPGOtIL6lP6N0VZhCf8JeWK7yz9s", "hv0xsKjSe3xEYSnSvgjXlHRW9ricyO0t9ZWgJA8A1xjwSsIZgs78qb4LqGAl5z9P2rtE"]}
Multi AV Scanner detection for submitted file
Source: P0DNoD3M7G.dll Virustotal: Detection: 63% Perma Link
Machine Learning detection for sample
Source: P0DNoD3M7G.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.rundll32.exe.ea0000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 3.2.rundll32.exe.e803d4.1.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Compliance:

barindex
Uses 32bit PE files
Source: P0DNoD3M7G.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: P0DNoD3M7G.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.278809880.000000004B280000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.278809880.000000004B280000.00000004.00000001.sdmp
Source: Binary string: Gsp.pdb source: loaddll32.exe, 00000000.00000002.218261598.0000000070AB4000.00000002.00020000.sdmp, P0DNoD3M7G.dll

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 8.210.53.215:443
Source: Malware configuration extractor IPs: 72.249.22.245:2303
Source: Malware configuration extractor IPs: 188.40.137.206:8172
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 72.249.22.245 72.249.22.245
Source: Joe Sandbox View IP Address: 188.40.137.206 188.40.137.206
Source: Joe Sandbox View IP Address: 8.210.53.215 8.210.53.215
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-TIERP-36024US AS-TIERP-36024US
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: loaddll32.exe, 00000000.00000002.218272982.0000000070ABB000.00000002.00020000.sdmp, P0DNoD3M7G.dll String found in binary or memory: http://ansicon.adoxa.vze.com/6

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.218218347.000000000081B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Dridex dropper found
Source: Initial file Signature Results: Dridex dropper behavior
Yara detected Dridex unpacked file
Source: Yara match File source: 00000003.00000002.488352077.0000000070A91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.70a90000.3.unpack, type: UNPACKEDPE

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA218C NtDelayExecution, 3_2_70AA218C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA2790 NtAllocateVirtualMemory, 3_2_70AA2790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A9BC00 NtClose, 3_2_70A9BC00
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA07CC 3_2_70AA07CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A91494 3_2_70A91494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A984E4 3_2_70A984E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA14D8 3_2_70AA14D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A9A5A4 3_2_70A9A5A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A99144 3_2_70A99144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA92DC 3_2_70AA92DC
Sample file is different than original file name gathered from version info
Source: P0DNoD3M7G.dll Binary or memory string: OriginalFilenameANSI32.dll0 vs P0DNoD3M7G.dll
Uses 32bit PE files
Source: P0DNoD3M7G.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: P0DNoD3M7G.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal92.bank.troj.evad.winDLL@5/0@0/3
Source: P0DNoD3M7G.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1
Source: P0DNoD3M7G.dll Virustotal: Detection: 63%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1 Jump to behavior
Source: P0DNoD3M7G.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: P0DNoD3M7G.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000003.00000003.278809880.000000004B280000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000003.00000003.278809880.000000004B280000.00000004.00000001.sdmp
Source: Binary string: Gsp.pdb source: loaddll32.exe, 00000000.00000002.218261598.0000000070AB4000.00000002.00020000.sdmp, P0DNoD3M7G.dll

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_70AB82E2 pushad ; retf 0_2_70AB82DD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_70AB82C6 pushad ; retf 0_2_70AB82DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A9F744 push esi; mov dword ptr [esp], 00000000h 3_2_70A9F745
Source: initial sample Static PE information: section name: .text entropy: 7.55754035599
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: OutputDebugStringW count: 722
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 722 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA07CC GetTokenInformation,GetSystemInfo,GetTokenInformation, 3_2_70AA07CC

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 90% for more than 60s
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A96DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_70A96DC8
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70AA3060 RtlAddVectoredExceptionHandler, 3_2_70AA3060

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\P0DNoD3M7G.dll',#1 Jump to behavior
Source: rundll32.exe, 00000003.00000002.488199221.0000000003250000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.488199221.0000000003250000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.488199221.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.488199221.0000000003250000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_70A96DC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_70A96DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_70A96DC8
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 392875 Sample: P0DNoD3M7G Startdate: 19/04/2021 Architecture: WINDOWS Score: 92 15 188.40.137.206 HETZNER-ASDE Germany 2->15 17 8.210.53.215 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 2->17 19 72.249.22.245 AS-TIERP-36024US United States 2->19 21 Found malware configuration 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Dridex dropper found 2->25 27 3 other signatures 2->27 8 loaddll32.exe 1 2->8         started        signatures3 process4 process5 10 cmd.exe 1 8->10         started        process6 12 rundll32.exe 10->12         started        signatures7 29 Tries to detect sandboxes / dynamic malware analysis system (file name check) 12->29 31 Tries to delay execution (extensive OutputDebugStringW loop) 12->31 33 Found potential dummy code loops (likely to delay analysis) 12->33
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
72.249.22.245
 unknown United States
36024 AS-TIERP-36024US true
188.40.137.206
 unknown Germany
24940 HETZNER-ASDE true
8.210.53.215
 unknown Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true