Analysis Report u3A1eWFqLE.dll

Overview

General Information

Sample Name: u3A1eWFqLE.dll
Analysis ID: 392886
MD5: 13272e189ce1c61b9a7c3660ea94ab2a
SHA1: 3593c7bb4229f1e822839c11ab3713c970b584e4
SHA256: 2e3dc149c4384b79a6f19305efa6762602100b568c4a73b88ce3b714644ed849
Tags: 40111Dridex
Infos:

Most interesting Screenshot:

Detection

Dridex Dropper
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Dridex dropper found
Found malware configuration
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.2.rundll32.exe.73320000.3.unpack Malware Configuration Extractor: Dridex {"Version": 40111, "C2 list": ["94.247.168.64:443", "159.203.93.122:8172", "50.116.27.97:2303"], "RC4 keys": ["VOw9c7u110XYjoFF2SzRWNcWNob7Sec1HxEVgBrFF", "5gZeCc8o5cQELWnF44Ik184W6MoZ25O98Rol7kPT2itFWvdxWiT70K4o4YnFUN4mL"]}
Machine Learning detection for sample
Source: u3A1eWFqLE.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.rundll32.exe.25d0000.2.unpack Avira: Label: TR/ATRAPS.Gen2
Source: 0.2.loaddll32.exe.ec0000.1.unpack Avira: Label: TR/ATRAPS.Gen2
Source: 5.2.rundll32.exe.23d0000.2.unpack Avira: Label: TR/ATRAPS.Gen2

Compliance:

barindex
Uses 32bit PE files
Source: u3A1eWFqLE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: u3A1eWFqLE.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp
Source: Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp
Source: Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source: Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 94.247.168.64:443
Source: Malware configuration extractor IPs: 159.203.93.122:8172
Source: Malware configuration extractor IPs: 50.116.27.97:2303
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 159.203.93.122 159.203.93.122
Source: Joe Sandbox View IP Address: 50.116.27.97 50.116.27.97
Source: Joe Sandbox View IP Address: 94.247.168.64 94.247.168.64
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
Source: Joe Sandbox View ASN Name: GLESYS-ASSE GLESYS-ASSE
Source: u3A1eWFqLE.dll String found in binary or memory: http://ansicon.adoxa.vze.com/6

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.558625849.0000000000B6B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Dridex dropper found
Source: Initial file Signature Results: Dridex dropper behavior
Yara detected Dridex unpacked file
Source: Yara match File source: 00000002.00000002.617918728.0000000073321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.620248864.0000000073321000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.73320000.3.unpack, type: UNPACKEDPE

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73332790 NtAllocateVirtualMemory, 2_2_73332790
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_7333218C NtDelayExecution, 2_2_7333218C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_7332BC00 NtClose, 2_2_7332BC00
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_733307CC 2_2_733307CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73321494 2_2_73321494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_733392DC 2_2_733392DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73329144 2_2_73329144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_7332A5A4 2_2_7332A5A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_733284E4 2_2_733284E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_733314D8 2_2_733314D8
One or more processes crash
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412
Sample file is different than original file name gathered from version info
Source: u3A1eWFqLE.dll Binary or memory string: OriginalFilenameANSI32.dll0 vs u3A1eWFqLE.dll
Uses 32bit PE files
Source: u3A1eWFqLE.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: u3A1eWFqLE.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal80.bank.troj.evad.winDLL@8/4@0/3
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3493.tmp Jump to behavior
Source: u3A1eWFqLE.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 412
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',ReadLogRecord Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 Jump to behavior
Source: u3A1eWFqLE.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: u3A1eWFqLE.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: opengl32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdbk source: WerFault.exe, 00000011.00000003.547563461.0000000003382000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: opengl32.pdbY source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbUGP source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp
Source: Binary string: glu32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000002.00000003.277316617.00000000045D0000.00000004.00000001.sdmp, rundll32.exe, 00000005.00000003.340830020.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000011.00000003.542068835.000000000104B000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: oCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000011.00000002.553395034.0000000000C92000.00000004.00000010.sdmp
Source: Binary string: msvcrt.pdbG source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: fffp4.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp, u3A1eWFqLE.dll
Source: Binary string: advapi32.pdbK source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000011.00000003.547567572.0000000003387000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000011.00000003.542316741.0000000001057000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 00000011.00000003.542076918.0000000001051000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000011.00000003.547579711.0000000003380000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000011.00000003.547554748.00000000051B1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_7332F744 push esi; mov dword ptr [esp], 00000000h 2_2_7332F745
Source: initial sample Static PE information: section name: .text entropy: 7.55877156847
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: OutputDebugStringW count: 2098
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\Windows\System32\loaddll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 1173 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window / User API: threadDelayed 924 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_733307CC GetTokenInformation,GetSystemInfo,GetTokenInformation, 2_2_733307CC
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000011.00000002.557597477.0000000004FB0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73326DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 2_2_73326DC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73333060 RtlAddVectoredExceptionHandler, 2_2_73333060

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u3A1eWFqLE.dll',#1 Jump to behavior
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.616595591.0000000002E70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.618724186.0000000002D30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 2_2_73326DC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_73326DC8 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 2_2_73326DC8
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 392886 Sample: u3A1eWFqLE.dll Startdate: 19/04/2021 Architecture: WINDOWS Score: 80 21 50.116.27.97 LINODE-APLinodeLLCUS United States 2->21 23 94.247.168.64 GLESYS-ASSE Sweden 2->23 25 159.203.93.122 DIGITALOCEAN-ASNUS United States 2->25 31 Found malware configuration 2->31 33 Dridex dropper found 2->33 35 Yara detected Dridex unpacked file 2->35 37 2 other signatures 2->37 8 loaddll32.exe 1 2->8         started        signatures3 process4 signatures5 39 Tries to detect sandboxes / dynamic malware analysis system (file name check) 8->39 11 cmd.exe 1 8->11         started        13 rundll32.exe 8->13         started        16 WerFault.exe 3 9 8->16         started        process6 signatures7 18 rundll32.exe 11->18         started        41 Tries to detect sandboxes / dynamic malware analysis system (file name check) 13->41 process8 signatures9 27 Tries to detect sandboxes / dynamic malware analysis system (file name check) 18->27 29 Tries to delay execution (extensive OutputDebugStringW loop) 18->29
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
159.203.93.122
 unknown United States
14061 DIGITALOCEAN-ASNUS true
50.116.27.97
 unknown United States
63949 LINODE-APLinodeLLCUS true
94.247.168.64
 unknown Sweden
43948 GLESYS-ASSE true