Analysis Report IHUVPJ4hXu

Overview

General Information

Sample Name:	IHUVPJ4hXu (renamed file extension from none to dll)
Analysis ID:	392885
MD5:	5b10d906d4ad48a9910a8cc551b2e697
SHA1:	9995dadc015c2003cdfe34c081a5f185aadb6263
SHA256:	61f03287190b9ce1e91fab24eddc302f411813ac49230d2e99335952eb3addc0
Tags:	40111Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex Dropper

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Dridex dropper found

Found malware configuration

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.73220000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}

Machine Learning detection for sample

Source: IHUVPJ4hXu.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.rundll32.exe.d80000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 6.2.rundll32.exe.ee0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.1180000.0.unpack	Avira: Label: TR/ATRAPS.Gen2

Compliance:

Uses 32bit PE files

Source: IHUVPJ4hXu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: IHUVPJ4hXu.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.314520251.00000000051BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.329300103.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp, IHUVPJ4hXu.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb. source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbv source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbd source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: IHUVPJ4hXu.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.496037557.0000000073221000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.494855843.0000000073221000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.73220000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.73220000.3.unpack, type: UNPACKEDPE

System Summary:

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73232790 NtAllocateVirtualMemory,	2_2_73232790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7323218C NtDelayExecution,	2_2_7323218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7322BC00 NtClose,	2_2_7322BC00

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732307CC	2_2_732307CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73221494	2_2_73221494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732392DC	2_2_732392DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73229144	2_2_73229144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7322A5A4	2_2_7322A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732284E4	2_2_732284E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732314D8	2_2_732314D8

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 424

Sample file is different than original file name gathered from version info

Source: IHUVPJ4hXu.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs IHUVPJ4hXu.dll

Uses 32bit PE files

Source: IHUVPJ4hXu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: IHUVPJ4hXu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6080

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD9.tmp

Jump to behavior

Source: IHUVPJ4hXu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 424
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1	Jump to behavior

Source: IHUVPJ4hXu.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: IHUVPJ4hXu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.314520251.00000000051BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.329300103.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp, IHUVPJ4hXu.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb. source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbv source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbd source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_7322F744 push esi; mov dword ptr [esp], 00000000h

2_2_7322F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 980

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 598			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 382			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_732307CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_732307CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73226DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73233060 RtlAddVectoredExceptionHandler,

2_2_73233060

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
159.203.93.122	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
50.116.27.97	unknown	United States	63949	LINODE-APLinodeLLCUS	true
94.247.168.64	unknown	Sweden	43948	GLESYS-ASSE	true

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.73220000.3.unpack

Machine Learning detection for sample

Source: IHUVPJ4hXu.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.rundll32.exe.d80000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 6.2.rundll32.exe.ee0000.2.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.1180000.0.unpack	Avira: Label: TR/ATRAPS.Gen2

Compliance:

Uses 32bit PE files

Source: IHUVPJ4hXu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: IHUVPJ4hXu.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.314520251.00000000051BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.329300103.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp, IHUVPJ4hXu.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb. source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbv source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbd source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 94.247.168.64:443
Source: Malware configuration extractor	IPs: 159.203.93.122:8172
Source: Malware configuration extractor	IPs: 50.116.27.97:2303

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View	IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View	IP Address: 94.247.168.64 94.247.168.64

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View	ASN Name: GLESYS-ASSE GLESYS-ASSE

Source: IHUVPJ4hXu.dll

String found in binary or memory: http://ansicon.adoxa.vze.com/6

E-Banking Fraud:

Dridex dropper found

Source: Initial file

Signature Results: Dridex dropper behavior

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.496037557.0000000073221000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.494855843.0000000073221000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.73220000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.73220000.3.unpack, type: UNPACKEDPE

System Summary:

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73232790 NtAllocateVirtualMemory,	2_2_73232790
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7323218C NtDelayExecution,	2_2_7323218C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7322BC00 NtClose,	2_2_7322BC00

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732307CC	2_2_732307CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73221494	2_2_73221494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732392DC	2_2_732392DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_73229144	2_2_73229144
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_7322A5A4	2_2_7322A5A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732284E4	2_2_732284E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_732314D8	2_2_732314D8

One or more processes crash

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 424

Sample file is different than original file name gathered from version info

Source: IHUVPJ4hXu.dll

Binary or memory string: OriginalFilenameANSI32.dll0 vs IHUVPJ4hXu.dll

Uses 32bit PE files

Source: IHUVPJ4hXu.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: IHUVPJ4hXu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6080

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD9.tmp

Jump to behavior

Source: IHUVPJ4hXu.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 424
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',ReadLogRecord	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1	Jump to behavior

Source: IHUVPJ4hXu.dll

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: IHUVPJ4hXu.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: opengl32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.314520251.00000000051BB000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32full.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.309242515.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000006.00000003.375547176.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000009.00000002.329300103.0000000001032000.00000004.00000010.sdmp
Source:	Binary string: fffp4.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp, IHUVPJ4hXu.dll
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb. source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdbv source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdbk source: WerFault.exe, 00000009.00000003.320089144.0000000005552000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.320083135.0000000005581000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.320115959.0000000005550000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbd source: WerFault.exe, 00000009.00000003.320124426.0000000005558000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_7322F744 push esi; mov dword ptr [esp], 00000000h

2_2_7322F745

Source: initial sample

Static PE information: section name: .text entropy: 7.55877156847

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 980

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\System32\loaddll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: \KnownDlls32\testapp.exe	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 598			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 382			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_732307CC GetTokenInformation,GetSystemInfo,GetTokenInformation,

2_2_732307CC

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.330319119.00000000056E0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_73233060 RtlAddVectoredExceptionHandler,

2_2_73233060

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\IHUVPJ4hXu.dll',#1

Jump to behavior

Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.494814052.0000000003370000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.494197828.0000000003300000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_73226DC8

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

ID:	392885
Product:	CloudBasic
Start time:	23:39:43
Start date:	19.04.2021
Sample:	IHUVPJ4hXu
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	5b10d906d4ad48a9910a8cc551b2e697
SHA1:	9995dadc015c2003cdfe34c081a5f185aadb6263
SHA256:	61f03287190b9ce1e91fab24eddc302f411813ac49230d2e99335952eb3addc0
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_259aeac81dd625d6a234674e48313673fc16336_160cf2be_19914593\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	73211B114D48E7EFC3E978096E01E6BC	489E31DBCD4FFA4BA9DA917908691998B7871307	C212876A4121C04E13123C5E1109D5C95BBDB6EB22F8A5249B181A25AC9E8161
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD9.tmp.dmp	Mini DuMP crash report, 15 streams, Tue Apr 20 06:41:15 2021, 0x1205a4 type	8FF70CF10D12D586BAFCEEBCB6AEF93C	1ACDF0E243BEEEA770A9B0DFA040FBF75E151DD4	437F9E935DC3E51B8B7930B3249B366752E9CBF32E555CF46ED1948E79F7C43B
C:\ProgramData\Microsoft\Windows\WER\Temp\WER377B.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	36DCF0DC5C2F6661F18CF97B1638B3BB	0B50357DC02CE0202A894974FA9345D7E90C7A09	439A477F2CEE4BA525FF8035028031FE07DE841AB01ED46DFADCE54E167654A1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3DF4.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	4CE5512562FD5E4C27F4AE608746ADF6	ADD86FEF957F6968923B6D6C8A7DA55DBC0E8F07	59A8C7894DAAD47799804C25A7F201C3956E80D1CA5A3F46A65E1E39CCC63BB6

Analysis Report IHUVPJ4hXu

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs