Analysis Report 94a4d66c_by_Libranalysis.dll

Overview

General Information

Sample Name:	94a4d66c_by_Libranalysis.dll
Analysis ID:	413061
MD5:	94a4d66c882da84cc0860d137104005e
SHA1:	e00e1f28f071f4a3a363f6dfc323ec4c72ef3bb6
SHA256:	68370d0a3d49288b1b76add1a49c954a8a5c5c9ca9dc337d72911286fa98c287
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 2.2.rundll32.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["43.229.206.212:443", "82.209.17.209:8172", "162.241.209.225:4125"], "RC4 keys": ["16dkGStOzdHgjuCciXGdSX7UrHWfYSUG8wEUtKNgzHrWMfTGafJbC", "39t3NdDhurvpltFNCpvA5goSylkxjIBtIwWPTv1DPbNEcuIekQC7O"]}

Multi AV Scanner detection for submitted file

Source: 94a4d66c_by_Libranalysis.dll

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: 94a4d66c_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbw source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb' source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb) source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb; source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbe source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.399066244.00000000050C1000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb= source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.325647019.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbc source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdby source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb. source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb1 source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225
Source: Joe Sandbox View	IP Address: 43.229.206.212 43.229.206.212

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: INET-AS-IDPTInetGlobalIndoID INET-AS-IDPTInetGlobalIndoID

Source: WerFault.exe, 00000009.00000003.414184029.0000000004AFC000.00000004.00000001.sdmp

String found in binary or memory: http://crl.micro

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.325616365.0000000000FEB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.418568189.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100220F0	0_2_100220F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 764

Sample file is different than original file name gathered from version info

Source: 94a4d66c_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 94a4d66c_by_Libranalysis.dll

Uses 32bit PE files

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6520

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2C8.tmp

Jump to behavior

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1

Source: 94a4d66c_by_Libranalysis.dll

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1	Jump to behavior

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbw source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb' source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb) source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb; source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbe source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.399066244.00000000050C1000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb= source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.325647019.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbc source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdby source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb. source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb1 source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006207 push ebx; ret	0_2_10006208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004E0F push 822377FAh; iretd	0_2_10004E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005813 push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006830 push 82235DBAh; iretd	0_2_10006855
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C33 push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000585A push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005A7B push cs; iretd	0_2_10005B7E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006A80 push ebx; iretd	0_2_10006A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C8E push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000388E push 8223930Ah; iretd	0_2_10003893
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100048AF push 8223A1AEh; iretd	0_2_100048B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066D0 push 8223737Ah; iretd	0_2_100066D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100054EF push 822385B2h; iretd	0_2_100054F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000530F push 82230D7Eh; iretd	0_2_10005314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000574F push 82238352h; iretd	0_2_10005754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A2 push cs; retf	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039C3 push edi; retf	0_2_100039C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005FD6 push 0E950020h; retf	0_2_10005FDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DF3 push cs; iretd	0_2_10002E7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037F5 push cs; retf	0_2_100037DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.53078515147

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000003.414293254.0000000004BBA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 2_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
82.209.17.209	unknown	Czech Republic	30764	PODA-ASCZ	true
162.241.209.225	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
43.229.206.212	unknown	Indonesia	24532	INET-AS-IDPTInetGlobalIndoID	true

Private

IP
192.168.2.1

AV Detection:

Found malware configuration

Source: 2.2.rundll32.exe.10000000.3.unpack

Multi AV Scanner detection for submitted file

Source: 94a4d66c_by_Libranalysis.dll

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: 94a4d66c_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbw source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb' source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb) source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb; source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbe source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.399066244.00000000050C1000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb= source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.325647019.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbc source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdby source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb. source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb1 source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 43.229.206.212:443
Source: Malware configuration extractor	IPs: 82.209.17.209:8172
Source: Malware configuration extractor	IPs: 162.241.209.225:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 82.209.17.209 82.209.17.209
Source: Joe Sandbox View	IP Address: 162.241.209.225 162.241.209.225
Source: Joe Sandbox View	IP Address: 43.229.206.212 43.229.206.212

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: PODA-ASCZ PODA-ASCZ
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: INET-AS-IDPTInetGlobalIndoID INET-AS-IDPTInetGlobalIndoID

Source: WerFault.exe, 00000009.00000003.414184029.0000000004AFC000.00000004.00000001.sdmp

String found in binary or memory: http://crl.micro

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.325616365.0000000000FEB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000002.00000002.418568189.0000000010001000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100220F0	0_2_100220F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011460	2_2_10011460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000846C	2_2_1000846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10001494	2_2_10001494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000A52C	2_2_1000A52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10011D58	2_2_10011D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10019348	2_2_10019348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_10010754	2_2_10010754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_100090CC	2_2_100090CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 764

Sample file is different than original file name gathered from version info

Source: 94a4d66c_by_Libranalysis.dll

Binary or memory string: OriginalFilenamex2otfb.dllN vs 94a4d66c_by_Libranalysis.dll

Uses 32bit PE files

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6520

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2C8.tmp

Jump to behavior

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1

Source: 94a4d66c_by_Libranalysis.dll

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 764
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1	Jump to behavior

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 94a4d66c_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ClusApi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdbw source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: wsspicli.pdb' source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb) source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dnsapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: oleaut32.pdb; source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 00000009.00000003.393158092.0000000000C5F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: rasapi32.pdbe source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: nsi.pdb source: WerFault.exe, 00000009.00000003.399066244.00000000050C1000.00000004.00000040.sdmp
Source:	Binary string: rasman.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb= source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: fpmvppp.pdb source: loaddll32.exe, 00000000.00000002.325647019.0000000010025000.00000002.00020000.sdmp, 94a4d66c_by_Libranalysis.dll
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: shlwapi.pdbc source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdby source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000009.00000003.392585945.0000000000C6B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000009.00000003.399050223.00000000050B0000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb. source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000009.00000003.391972624.0000000000C65000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000009.00000003.399039498.00000000050E1000.00000004.00000001.sdmp
Source:	Binary string: iphlpapi.pdb1 source: WerFault.exe, 00000009.00000003.399059004.00000000050B7000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006207 push ebx; ret	0_2_10006208
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004E0F push 822377FAh; iretd	0_2_10004E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005813 push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006830 push 82235DBAh; iretd	0_2_10006855
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C33 push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000585A push eax; ret	0_2_1000590D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005A7B push cs; iretd	0_2_10005B7E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10006A80 push ebx; iretd	0_2_10006A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C8E push 0E950FD0h; iretd	0_2_10002D7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000388E push 8223930Ah; iretd	0_2_10003893
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100048AF push 8223A1AEh; iretd	0_2_100048B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100066D0 push 8223737Ah; iretd	0_2_100066D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100054EF push 822385B2h; iretd	0_2_100054F4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000530F push 82230D7Eh; iretd	0_2_10005314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000574F push 82238352h; iretd	0_2_10005754
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037A2 push cs; retf	0_2_100037DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100039C3 push edi; retf	0_2_100039C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005FD6 push 0E950020h; retf	0_2_10005FDE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002DF3 push cs; iretd	0_2_10002E7C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100037F5 push cs; retf	0_2_100037DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_1000F6CC push esi; mov dword ptr [esp], 00000000h	2_2_1000F6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.53078515147

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000009.00000003.414293254.0000000004BBA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000009.00000002.416798979.0000000005240000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\94a4d66c_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

Source: C:\Windows\SysWOW64\rundll32.exe

2_2_10006D50

ID:	413061
Product:	CloudBasic
Start time:	07:26:07
Start date:	13.05.2021
Sample:	94a4d66c_by_Libranalysis.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	94a4d66c882da84cc0860d137104005e
SHA1:	e00e1f28f071f4a3a363f6dfc323ec4c72ef3bb6
SHA256:	68370d0a3d49288b1b76add1a49c954a8a5c5c9ca9dc337d72911286fa98c287
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_65bff377fae8bcebb61f16e22ba04e79e2bf1c7_82810a17_1b9d17e4\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	400CC28691D7E78B68B02B7B93AC76B0	7602938E8B667810C4D3E114CC08CD8E512FA02E	50BE2D735C5BA1C3C852F00E6259BC31F40C7BCAC69C44F195DE2E9704434628
C:\ProgramData\Microsoft\Windows\WER\Temp\WER400.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A62DBC807C5C4DDAB2147717774ACD86	19C5C7947A3188C22AF9B800006991788656787E	D9DDBA86E1763735D84EFB10017A81B8E37045745D56EAD0D3739AFBF7FC8425
C:\ProgramData\Microsoft\Windows\WER\Temp\WERF2C8.tmp.dmp	Mini DuMP crash report, 14 streams, Thu May 13 14:27:30 2021, 0x1205a4 type	478E04EC5BDA6F693917302D461A3A61	E4B15E4FA20C1B5C708DD0B22626E5C9C6D9352D	634644DCC22DD4A6D0313B97A489EAB9D49F9E10582E0694346499E0E83F303C
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFCFA.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6AEC00D324EA8720571670FEB10F768D	022402F010A14267D864BB6344AEB911335F2775	E5DA241B1A4FE1CD169017DECD51FC4973F672582222D39C8A184E3CE13A22AF

Analysis Report 94a4d66c_by_Libranalysis.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private