Source: 2.2.rundll32.exe.10000000.3.unpack |
Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]} |
Source: 94a4d66c_by_Libranalysis.dll |
Joe Sandbox ML: detected |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.206874993.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll |
Source: Malware configuration extractor |
IPs: 43.229.206.212:443 |
Source: Malware configuration extractor |
IPs: 82.209.17.209:8172 |
Source: Malware configuration extractor |
IPs: 162.241.209.225:4125 |
Source: Joe Sandbox View |
IP Address: 82.209.17.209 82.209.17.209 |
Source: Joe Sandbox View |
IP Address: 162.241.209.225 162.241.209.225 |
Source: Joe Sandbox View |
IP Address: 43.229.206.212 43.229.206.212 |
Source: Joe Sandbox View |
ASN Name: PODA-ASCZ PODA-ASCZ |
Source: Joe Sandbox View |
ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US |
Source: Joe Sandbox View |
ASN Name: INET-AS-IDPTInetGlobalIndoID INET-AS-IDPTInetGlobalIndoID |
Source: loaddll32.exe, 00000000.00000002.206845651.0000000000B6B000.00000004.00000020.sdmp |
Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
|
Source: Yara match |
File source: 00000002.00000002.276237317.0000000010001000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match |
File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100220F0 |
0_2_100220F0 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10011460 |
2_2_10011460 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000846C |
2_2_1000846C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10001494 |
2_2_10001494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000A52C |
2_2_1000A52C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10011D58 |
2_2_10011D58 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10019348 |
2_2_10019348 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10010754 |
2_2_10010754 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_100090CC |
2_2_100090CC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 764 |
Source: 94a4d66c_by_Libranalysis.dll |
Binary or memory string: OriginalFilenamex2otfb.dllN vs 94a4d66c_by_Libranalysis.dll |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: classification engine |
Classification label: mal64.troj.winDLL@6/4@0/3 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1364 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF94C.tmp |
Jump to behavior |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll' |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 764 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: 94a4d66c_by_Libranalysis.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.206874993.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10006207 push ebx; ret |
0_2_10006208 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10004E0F push 822377FAh; iretd |
0_2_10004E14 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10005813 push eax; ret |
0_2_1000590D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10006830 push 82235DBAh; iretd |
0_2_10006855 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000585A push eax; ret |
0_2_1000590D |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10005A7B push cs; iretd |
0_2_10005B7E |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10006A80 push ebx; iretd |
0_2_10006A85 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000388E push 8223930Ah; iretd |
0_2_10003893 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100048AF push 8223A1AEh; iretd |
0_2_100048B4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100066D0 push 8223737Ah; iretd |
0_2_100066D5 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100054EF push 822385B2h; iretd |
0_2_100054F4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000530F push 82230D7Eh; iretd |
0_2_10005314 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10002D4A push 0E950FD0h; iretd |
0_2_10002D7C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_1000574F push 82238352h; iretd |
0_2_10005754 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100037A2 push cs; retf |
0_2_100037DC |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100039C3 push edi; retf |
0_2_100039C4 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10005FD6 push 0E950020h; retf |
0_2_10005FDE |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_10002DF3 push cs; iretd |
0_2_10002E7C |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_100037F5 push cs; retf |
0_2_100037DC |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h |
2_2_1000F6CD |
Source: initial sample |
Static PE information: section name: .text entropy: 7.53078515147 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_10006D50 |