Windows Analysis Report SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

ID:	510679
Product:	CloudBasic
Start time:	04:52:34
Start date:	28.10.2021
Sample:	SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2228471d39760f9a389ac95f71b671a9
SHA1:	38b7d35e72c995ca526e293af9d448a7a8011df6
SHA256:	a9238550f705b9668a390a9e7b9e4dec6a88daec2c8acca19ffa10af328d594d
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF97.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:00:21 2021, 0x1205a4 type	DB0652CF648D9BCF1F5AB9194E1F68C1	3DC406319171C59F344FB33F695D8CFD04B4EBA1	16C41435B544898BC70360A83C2FA50B6B1A3C9DA505EE93C5114909151D7A84
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD321.tmp.dmp	Mini DuMP crash report, 14 streams, Thu Oct 28 12:00:22 2021, 0x1205a4 type	D2C917AA03B5BE458524EDE31C8BF2E3	8107F1286AD10187FD5109F17D75AEC43ED1C45F	CD92C35C4C9B8ECF3827BDAD5A7C1B7339FE87A1CD79E7B1A5542CFA02DA8D03
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA56.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	A865B108032789E908917669D003D0F9	757F83168C63440CBC9EF8E26FECABDBEAB57BFB	52AAA5643776D7D5ED46F89B273A887DB942CE9780B5C465E65049F2C0099C4B
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE10.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	3F94544E2C46B95C25E14F305717973C	CE511706AE2CA5A6FB0C38819387B2AEA3DD3549	E286808229401A1183E3B16E4812CD7CC05815D03E502123FAAD69EC9AB1A19F
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDF95.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	C598E8847032D22DE4336DC03715CA84	7FE6F4EF927331D8CF98FB2E03A4D4CA131D67DF	A82ACA21C9EDEB3EF31B77AF5959D8C83D3C2814640F0EA9401F6BC71F2CE664
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0CF.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	B3001A8D69959B513E4C32F8498E9A51	DE60C3446E86F7F99BF4F47F1CD3DE8B63B276E4	8332ABDFE622AD0816941B5EB74996F7CF83F01E0DFE8B0D08BFA90021845277

AV Detection:

Found malware configuration

Source: 13.2.rundll32.exe.6e8b0000.2.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["149.202.179.100:443", "66.147.235.11:6891", "81.0.236.89:13786"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "ranVAwtYINZG8jFJSjh5rR8jx3HIZIvSCern79nVFUhfeb2NvJlOKPsGO1osGE0VchV9bFDjym"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Virustotal: Detection: 20%			Perma Link
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	ReversingLabs: Detection: 28%

Machine Learning detection for sample

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 12.0.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 12.2.rundll32.exe.4d34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.33a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.0.rundll32.exe.3b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.2f80000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 4.2.rundll32.exe.29a0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 3.0.rundll32.exe.4a04756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.rundll32.exe.4484756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2990000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.0.rundll32.exe.47f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 14.0.rundll32.exe.4884756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.2990000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.3b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.ce4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.2.rundll32.exe.3220000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 13.2.rundll32.exe.29f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 12.0.rundll32.exe.4d34756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.2f80000.3.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.2990000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 1.2.loaddll32.exe.7b0000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 14.0.rundll32.exe.2d60000.0.unpack	Avira: Label: TR/ATRAPS.Gen2
Source: 11.2.rundll32.exe.47f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 13.0.rundll32.exe.29f4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.rundll32.exe.36a4756.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.rundll32.exe.4a04756.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 11.0.rundll32.exe.47f4756.4.unpack	Avira: Label: TR/Patched.Ren.Gen

Compliance:

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 149.202.179.100:443
Source: Malware configuration extractor	IPs: 66.147.235.11:6891
Source: Malware configuration extractor	IPs: 81.0.236.89:13786

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HOSTROCKETUS HOSTROCKETUS
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 66.147.235.11 66.147.235.11
Source: Joe Sandbox View	IP Address: 149.202.179.100 149.202.179.100

URLs found in memory or binary data

Source: rundll32.exe, 00000003.00000000.423532537.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.698746996.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.784764544.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.698207139.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000002.723020912.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.753729339.000000006E8CF000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.713332446.000000006E8CF000.00000002.00020000.sdmp

String found in binary or memory: http://www.vomfass.deDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 9.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6e8b0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.rundll32.exe.6e8b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000000.680670011.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.697384477.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.682183733.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.719392684.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.753337263.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.749868846.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.423290755.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.698176529.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.780387984.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.676132737.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.701129229.000000006E8B1000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Found detection on Joe Sandbox Cloud Basic with higher score

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Joe Sandbox Cloud Basic: Detection: malicious Score: 76 Threat Name: Dridex

Perma Link

Uses 32bit PE files

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Binary or memory string: OriginalFilenameddlb.dll vs SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6E8B1494		1_2_6E8B1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C0754		4_2_6E8C0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C9348		4_2_6E8C9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8B1494		4_2_6E8B1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8B846C		4_2_6E8B846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C1460		4_2_6E8C1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8BA52C		4_2_6E8BA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C1D58		4_2_6E8C1D58

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C223C NtDelayExecution,		4_2_6E8C223C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8C2840 NtAllocateVirtualMemory,		4_2_6E8C2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E8BBB88 NtClose,		4_2_6E8BBB88

Sample is known by Antivirus

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	Virustotal: Detection: 20%
Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll	ReversingLabs: Detection: 28%

PE file has an executable .text section and no other executable section

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll,FFRgpmdlwwWde			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',CheckTrust			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllCanUnloadNow			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DllGetClassObject			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',DownloadFile			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',GetICifFileFromFile			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652			Jump to behavior

Creates mutexes

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6296
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7144

Creates temporary files

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERCF97.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal84.troj.evad.winDLL@23/6@0/3

Submission file is bigger than most known malware samples

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static file information: File size 1093632 > 1048576

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: rpidebbfll.pdb source: SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll
Source:	Binary string: wntdll.pdbUGP source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.405380149.000000004B280000.00000004.00000001.sdmp, rundll32.exe, 00000009.00000003.645478010.000000004B280000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8BF6CC push esi; mov dword ptr [esp], 00000000h

4_2_6E8BF6CD

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\SysWOW64\rundll32.exe

Section loaded: OutputDebugStringW count: 389

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 389

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to query system information

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8C0754 GetTokenInformation,GetSystemInfo,GetTokenInformation,

4_2_6E8C0754

Contains medium sleeps (>= 30s)

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: WERE0CF.tmp.xml.21.dr	Binary or memory string: <arg nm="syspro" val="VMware7,1" />
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr	Binary or memory string: <SystemManufacturer>VMware, Inc.</SystemManufacturer>
Source: WERDF95.tmp.WERInternalMetadata.xml.21.dr	Binary or memory string: <SystemProductName>VMware7,1</SystemProductName>
Source: WERE0CF.tmp.xml.21.dr	Binary or memory string: <arg nm="sysmfg" val="VMware, Inc." />

Anti Debugging:

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E8B6D50

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652

Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8C3110 RtlAddVectoredExceptionHandler,

4_2_6E8C3110

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win32.Save.a.28377.dll',#1			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7144 -s 652			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6296 -s 652			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.732756195.00000000011A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.420285938.0000000003520000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.687603981.0000000002FA0000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.757450406.0000000003AE0000.00000002.00020000.sdmp, rundll32.exe, 0000000B.00000000.644072001.0000000003310000.00000002.00020000.sdmp, rundll32.exe, 0000000C.00000000.676062687.0000000003850000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000000.679799692.0000000002D90000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000000.680159187.00000000033A0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E8B6D50

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Contains functionality to query the account / user name

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E8B6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6E8B6D50