Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981531.21000.9246

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Graftor.981531.21000.9246 (renamed file extension from 9246 to dll)
Analysis ID:	455752
MD5:	f3895703410910aa0ef2f7da6a12dd49
SHA1:	18a05909877ba997e3acda5426d5a28a4159c089
SHA256:	688bc9341860e2f04f307f162f71a628896bc6ca9fa200be54eee05a4b69cb72
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Found PHP interpreter

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6524 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 6536 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 6576 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5784 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["46.55.222.10:443", "104.248.178.90:4664", "173.212.243.155:7002"], "RC4 keys": ["TlzeoaANiJLtcEAzNS7uZ3KSSRK6oFpIoDHQ62eZwk", "DSZImon5Amvp18afhhpJ5slHb4KiGr7qCFcVbrMfqMAezKKzyK5CJx2kyEDS4LKI"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.390127958.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.388937385.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6e2d0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e2d0000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6e2d0000.7.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.0.rundll32.exe.6e2d0000.7.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["46.55.222.10:443", "104.248.178.90:4664", "173.212.243.155:7002"], "RC4 keys": ["TlzeoaANiJLtcEAzNS7uZ3KSSRK6oFpIoDHQ62eZwk", "DSZImon5Amvp18afhhpJ5slHb4KiGr7qCFcVbrMfqMAezKKzyK5CJx2kyEDS4LKI"]}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	Virustotal: Detection: 32%			Perma Link
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	ReversingLabs: Detection: 23%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb? source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: RRGTYY.pdb source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb3 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb! source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb} source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 46.55.222.10:443
Source: Malware configuration extractor	IPs: 104.248.178.90:4664
Source: Malware configuration extractor	IPs: 173.212.243.155:7002

Source: Joe Sandbox View	IP Address: 104.248.178.90 104.248.178.90
Source: Joe Sandbox View	IP Address: 173.212.243.155 173.212.243.155

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: CONTABODE CONTABODE

Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Graftor.981531.21000.dll

String found in binary or memory: http://www.php.netD

Source: loaddll32.exe, 00000000.00000002.324532981.00000000015BB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6e2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e2d0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e2d0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.390127958.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.388937385.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.428086465.000000006E2D1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found PHP interpreter

Show sources

Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp	String found in binary or memory: CompanyNameThe PHP Group2
Source: loaddll32.exe, 00000000.00000002.324643149.000000006E58E000.00000002.00020000.sdmp	String found in binary or memory: 1997-2018 The PHP Group0
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	String found in binary or memory: CompanyNameThe PHP Group2
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	String found in binary or memory: 1997-2018 The PHP Group0

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E9348	3_2_6E2E9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E0754	3_2_6E2E0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2D846C	3_2_6E2D846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E1460	3_2_6E2E1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2D1494	3_2_6E2D1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2DA52C	3_2_6E2DA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E2E1D58	3_2_6E2E1D58

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Binary or memory string: OriginalFilenamesir_ehh8_12h.dll( vs SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal76.troj.winDLL@6/4@0/3

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6576

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER83D4.tmp

Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	Virustotal: Detection: 32%
Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll	ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 672
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1	Jump to behavior

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb? source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.401275551.0000000002E3F000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: RRGTYY.pdb source: SecuriteInfo.com.Variant.Graftor.981531.21000.dll
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb5 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb3 source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb! source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.397681729.0000000002E4B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.407118640.0000000004E40000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.397663740.0000000002E45000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.406861516.0000000004CF1000.00000004.00000001.sdmp
Source:	Binary string: propsys.pdb} source: WerFault.exe, 0000000B.00000003.407346883.0000000004E46000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E2DF6CC push esi; mov dword ptr [esp], 00000000h

3_2_6E2DF6CD

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.422709638.0000000004A2E000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.424826209.0000000004ED0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E2D6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E2D6D50

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Graftor.981531.21000.dll',#1

Jump to behavior

Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: rundll32.exe, 00000003.00000000.388018657.0000000002D00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_6E2D6D50

Source: C:\Windows\SysWOW64\rundll32.exe

3_2_6E2D6D50

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection12	Virtualization/Sandbox Evasion1	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Account Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Owner/User Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery11	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Graftor.981531.21000.9246

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph