Analysis Report 931f389a_by_Libranalysis

Overview

General Information

Sample Name:	931f389a_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	413031
MD5:	931f389af3eac907ce78eb6219e28f47
SHA1:	f0444b6d18303e468f993f5fad350f585e811650
SHA256:	a98b3bccd362cfbac2de3f8dfc80e041ce2aa327fcd07480ac60db93cdb980cd
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["203.114.109.124:443", "82.165.145.100:6601", "94.177.255.18:8172"], "RC4 keys": ["BwjTiXD0nMT8wuL0lzuDMT1lwajgYLnSPMpMch1H2fk8H", "Zn2kewZlGvQs4cF0q7SiWd3gnwzXSWs561WqoqBWjN3RtNQTcvkRtcHJba3Ed"]}

Multi AV Scanner detection for submitted file

Source: 931f389a_by_Libranalysis.dll

ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: 931f389a_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 931f389a_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 931f389a_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbhW source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb8w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbkb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbmb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb'b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb"w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbkV source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb)b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb1b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.327208470.0000000010024000.00000002.00020000.sdmp, WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdb=b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.394394413.000000000370D000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.394139160.0000000003707000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb;b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 82.165.145.100:6601
Source: Malware configuration extractor	IPs: 94.177.255.18:8172

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 94.177.255.18 94.177.255.18
Source: Joe Sandbox View	IP Address: 203.114.109.124 203.114.109.124
Source: Joe Sandbox View	IP Address: 82.165.145.100 82.165.145.100

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ARUBACLOUDLTD-ASNGB ARUBACLOUDLTD-ASNGB
Source: Joe Sandbox View	ASN Name: TOT-LLI-AS-APTOTPublicCompanyLimitedTH TOT-LLI-AS-APTOTPublicCompanyLimitedTH
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://ocsp.comodoca.com0
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.327153429.000000000077B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.419174193.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 764

PE / OLE file has an invalid certificate

Source: 931f389a_by_Libranalysis.dll

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 931f389a_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 931f389a_by_Libranalysis.dll

Uses 32bit PE files

Source: 931f389a_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 931f389a_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1D.tmp

Jump to behavior

Source: 931f389a_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1

Source: 931f389a_by_Libranalysis.dll

ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1	Jump to behavior

Source: 931f389a_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 931f389a_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbhW source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb8w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbkb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbmb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb'b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb"w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbkV source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb)b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb1b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.327208470.0000000010024000.00000002.00020000.sdmp, WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdb=b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.394394413.000000000370D000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.394139160.0000000003707000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb;b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp

Data Obfuscation:

PE file contains an invalid checksum

Source: 931f389a_by_Libranalysis.dll

Static PE information: real checksum: 0x2a3c3 should be: 0x3227e

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007685 push DA598020h; ret	0_2_1000768B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100030DC push edi; iretd	0_2_100030DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.58875564719

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: \KnownDlls32\TESTAPP.exe

Jump to behavior

Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.410781707.00000000054B2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: WerFault.exe, 0000000B.00000002.415309536.00000000054B0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
94.177.255.18	unknown	Italy	199883	ARUBACLOUDLTD-ASNGB	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
82.165.145.100	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true

AV Detection:

Found malware configuration

Source: 2.2.rundll32.exe.10000000.3.unpack

Multi AV Scanner detection for submitted file

Source: 931f389a_by_Libranalysis.dll

ReversingLabs: Detection: 61%

Machine Learning detection for sample

Source: 931f389a_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 931f389a_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 931f389a_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbhW source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb8w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbkb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbmb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb'b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb"w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbkV source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb)b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb1b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.327208470.0000000010024000.00000002.00020000.sdmp, WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdb=b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.394394413.000000000370D000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.394139160.0000000003707000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb;b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 82.165.145.100:6601
Source: Malware configuration extractor	IPs: 94.177.255.18:8172

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 94.177.255.18 94.177.255.18
Source: Joe Sandbox View	IP Address: 203.114.109.124 203.114.109.124
Source: Joe Sandbox View	IP Address: 82.165.145.100 82.165.145.100

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ARUBACLOUDLTD-ASNGB ARUBACLOUDLTD-ASNGB
Source: Joe Sandbox View	ASN Name: TOT-LLI-AS-APTOTPublicCompanyLimitedTH TOT-LLI-AS-APTOTPublicCompanyLimitedTH
Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE

Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://ocsp.comodoca.com0
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.327153429.000000000077B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.419174193.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 764

PE / OLE file has an invalid certificate

Source: 931f389a_by_Libranalysis.dll

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: 931f389a_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 931f389a_by_Libranalysis.dll

Uses 32bit PE files

Source: 931f389a_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 931f389a_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6464

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1D.tmp

Jump to behavior

Source: 931f389a_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1

Source: 931f389a_by_Libranalysis.dll

ReversingLabs: Detection: 61%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6464 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1	Jump to behavior

Source: 931f389a_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 931f389a_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdbhW source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb8w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdbkb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdbmb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb'b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb"w source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.394808376.0000000003701000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdbkV source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb)b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb1b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.327208470.0000000010024000.00000002.00020000.sdmp, WerFault.exe, 0000000B.00000002.416937891.0000000005D10000.00000002.00000001.sdmp, 931f389a_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: imagehlp.pdb=b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.394394413.000000000370D000.00000004.00000001.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.402086743.0000000005B50000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.394139160.0000000003707000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.402076152.0000000005A41000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb;b source: WerFault.exe, 0000000B.00000003.402092978.0000000005B56000.00000004.00000040.sdmp

Data Obfuscation:

PE file contains an invalid checksum

Source: 931f389a_by_Libranalysis.dll

Static PE information: real checksum: 0x2a3c3 should be: 0x3227e

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007685 push DA598020h; ret	0_2_1000768B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100030DC push edi; iretd	0_2_100030DD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.58875564719

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\SysWOW64\WerFault.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: \KnownDlls32\TESTAPP.exe

Jump to behavior

Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.410781707.00000000054B2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: WerFault.exe, 0000000B.00000002.415309536.00000000054B0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW0
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.416269760.0000000005BE0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\931f389a_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

ID:	413031
Product:	CloudBasic
Start time:	06:33:56
Start date:	13.05.2021
Sample:	931f389a_by_Libranalysis
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	931f389af3eac907ce78eb6219e28f47
SHA1:	f0444b6d18303e468f993f5fad350f585e811650
SHA256:	a98b3bccd362cfbac2de3f8dfc80e041ce2aa327fcd07480ac60db93cdb980cd
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_79dc4f33d2677f24610e49eb7f526d71a7c260_82810a17_1b808c86\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	8DABF258C9C618BABA8801237F8BF77F	78A826C91C598C106B48583F25AD111AF427F008	560EE23E8827A49E676FABA93CFC5A3E92E4ADADFB436E872D9558AF2CA6CC6F
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6C1D.tmp.dmp	Mini DuMP crash report, 14 streams, Thu May 13 13:35:20 2021, 0x1205a4 type	6371773E0FC4A26ABA5EA6F0EC43D592	FA78152EEB52A74344CB9D69BD8838B793421BC5	B063BEFDFBB6384DD3543DAE43B00B8E5FBA12D70D9200AEB51F7B1A894298A0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER78A2.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	80DB8D4926058F3BA6BCB1EA70DA9231	64E93F78CF18252648D0936D247151B439749B17	AD0C2AAB1A4E1899975E3835D7CE4EE99460407A6708AB514B9B987E37E05A2E
C:\ProgramData\Microsoft\Windows\WER\Temp\WER7AC5.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	6666BC2847B69D9D28BCC9B0ECC24358	32C54E7C5D9849F37BEA2F56FEA955D1E55FE899	DF0ED226961D3128310B38393AA917944DB431F0BDA17A49B16D59CAE69EC36E

Analysis Report 931f389a_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs