Source: 3.2.rundll32.exe.10000000.3.unpack |
Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "UlufoCqJDohDzGOdBY6ldd1IbFW5KV8BqCAnkqwdDzvq0CsZOOngL"]} |
Source: 5322b76c_by_Libranalysis.dll |
ReversingLabs: Detection: 29% |
Source: 5322b76c_by_Libranalysis.dll |
Joe Sandbox ML: detected |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll |
Source: Malware configuration extractor |
IPs: 43.229.206.212:443 |
Source: Malware configuration extractor |
IPs: 82.209.17.209:8172 |
Source: Malware configuration extractor |
IPs: 162.241.209.225:4125 |
Source: Joe Sandbox View |
IP Address: 82.209.17.209 82.209.17.209 |
Source: Joe Sandbox View |
IP Address: 162.241.209.225 162.241.209.225 |
Source: Joe Sandbox View |
ASN Name: PODA-ASCZ PODA-ASCZ |
Source: Joe Sandbox View |
ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US |
Source: Yara match |
File source: 00000003.00000002.287972689.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 3.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10021E90 |
1_2_10021E90 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10011460 |
3_2_10011460 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000846C |
3_2_1000846C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10001494 |
3_2_10001494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000A52C |
3_2_1000A52C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10011D58 |
3_2_10011D58 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10019348 |
3_2_10019348 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10010754 |
3_2_10010754 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_100090CC |
3_2_100090CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784 |
Source: 5322b76c_by_Libranalysis.dll |
Binary or memory string: OriginalFilenamex2otfb.dllN vs 5322b76c_by_Libranalysis.dll |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal72.troj.winDLL@6/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess808 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER25BB.tmp |
Jump to behavior |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
Source: 5322b76c_by_Libranalysis.dll |
ReversingLabs: Detection: 29% |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 784 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 5322b76c_by_Libranalysis.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000001.00000002.209140353.0000000010025000.00000002.00020000.sdmp, 5322b76c_by_Libranalysis.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 1_2_10007550 push ebp; ret |
1_2_10007557 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h |
3_2_1000F6CD |
Source: initial sample |
Static PE information: section name: .text entropy: 7.52981613282 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_10006D50 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5322b76c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_10006D50 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_10006D50 |