Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Variant.Razy.980776.8232.dll

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Razy.980776.8232.dll
Analysis ID:510689
MD5:6df0687582c592e9860683a68858e082
SHA1:53780def0699c055381746ce4ecebef8f17fd12d
SHA256:90877ec621cc53fc31e693362e3b335a429aecc77abdbfd8b7d5d7493478f36d
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Found detection on Joe Sandbox Cloud Basic with higher score
Detected Dridex e-Banking trojan
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4248 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 2248 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6340 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5016 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6332 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Earth MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6352 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Masterjust MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.429863191.0000000003410000.00000040.00000001.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000003.00000003.404224619.0000000004740000.00000040.00000010.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000003.00000002.690890687.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000000.00000002.690396403.000000006E9F1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
          00000004.00000003.420461174.0000000004120000.00000040.00000001.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.3.rundll32.exe.475db55.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              3.3.rundll32.exe.475db55.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                2.3.rundll32.exe.492db55.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                  5.3.rundll32.exe.342db55.0.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                    4.3.rundll32.exe.413db55.0.raw.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                      Click to see the 7 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.6e9f0000.0.unpackMalware Configuration Extractor: Dridex {"Version": 10444, "C2 list": ["192.46.210.220:443", "143.244.140.214:808", "45.77.0.96:6891", "185.56.219.47:8116"], "RC4 keys": ["9fRysqcdPgZffBlroqJaZHyCvLvD6BUV", "syF7NqCylLS878kcIy9w5XeI8w6uMrqVwowz4h3uWHHlWsr5ELTiXic3wgqbllkcZyNGwPGihI"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllReversingLabs: Detection: 18%
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: unknownHTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49743 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.690574263.000000006EAB7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.691096574.000000006EAB7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.8232.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1CEF8 FindFirstFileExW,0_2_6EA1CEF8

                      Networking:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.77.0.96 235Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.56.219.47 180Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.46.210.220 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 143.244.140.214 40Jump to behavior
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 192.46.210.220:443
                      Source: Malware configuration extractorIPs: 143.244.140.214:808
                      Source: Malware configuration extractorIPs: 45.77.0.96:6891
                      Source: Malware configuration extractorIPs: 185.56.219.47:8116
                      Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                      Source: Joe Sandbox ViewASN Name: KELIWEBIT KELIWEBIT
                      Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4802Connection: CloseCache-Control: no-cache
                      Source: Joe Sandbox ViewIP Address: 45.77.0.96 45.77.0.96
                      Source: Joe Sandbox ViewIP Address: 185.56.219.47 185.56.219.47
                      Source: global trafficTCP traffic: 192.168.2.3:49745 -> 143.244.140.214:808
                      Source: global trafficTCP traffic: 192.168.2.3:49748 -> 45.77.0.96:6891
                      Source: global trafficTCP traffic: 192.168.2.3:49750 -> 185.56.219.47:8116
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49779 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49800 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49799 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49779
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49799
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49806 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49823 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49806
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49823
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49800
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:10 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:12 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:21 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:22 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:28 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:29 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:36 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:37 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:44 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:45 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:51 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:52 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:11:59 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:00 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:09 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:16 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.15.12Date: Thu, 28 Oct 2021 03:12:24 GMTContent-Type: text/plain; charset=utf-8Connection: close
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 143.244.140.214
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 45.77.0.96
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.56.219.47
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.690375377.0000000002F60000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.3.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: loaddll32.exe, 00000000.00000003.563593432.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://14.77.0.96:6891/
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214/
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/Q#
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/hy
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/l
                      Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/l?
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/la
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/oft
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://143.244.140.214:808/q
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47/
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.680691305.0000000002F6D000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/0
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/N
                      Source: rundll32.exe, 00000003.00000003.680691305.0000000002F6D000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/dv
                      Source: loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/fW
                      Source: loaddll32.exe, 00000000.00000003.462263005.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/ion
                      Source: loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://185.56.219.47:8116/soft
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000002.689702912.0000000000958000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000002.690791416.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/
                      Source: loaddll32.exe, 00000000.00000003.544483266.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/#
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/4
                      Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/7.0.96:6891/
                      Source: loaddll32.exe, 00000000.00000003.462263005.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/:
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/A
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/H
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/N
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/S
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/X
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/a
                      Source: loaddll32.exe, 00000000.00000003.528593129.000000000095A000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/aenh.dll
                      Source: loaddll32.exe, 00000000.00000002.689702912.0000000000958000.00000004.00000020.sdmpString found in binary or memory: https://192.46.210.220/e
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/k
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://192.46.210.220/w
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.452876324.0000000002F60000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/
                      Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/.0.96:6891/m
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/14
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/6
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/F
                      Source: loaddll32.exe, 00000000.00000003.462293153.0000000000998000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/I
                      Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/Microsoft
                      Source: loaddll32.exe, 00000000.00000003.588479103.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/N
                      Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/der
                      Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/der.
                      Source: loaddll32.exe, 00000000.00000003.502791575.000000000095F000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/der6
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/derF
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmp, loaddll32.exe, 00000000.00000003.577280807.000000000095A000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.690791416.000000000516B000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/graphy
                      Source: loaddll32.exe, 00000000.00000003.528593129.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/m
                      Source: loaddll32.exe, 00000000.00000003.454214187.0000000000960000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/n
                      Source: loaddll32.exe, 00000000.00000003.550818724.000000000095A000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/r
                      Source: loaddll32.exe, 00000000.00000003.507832942.000000000095E000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/s
                      Source: rundll32.exe, 00000003.00000003.452876324.0000000002F60000.00000004.00000001.sdmpString found in binary or memory: https://45.77.0.96:6891/tv
                      Source: loaddll32.exe, 00000000.00000003.588542821.0000000000997000.00000004.00000001.sdmpString found in binary or memory: https://45192.46.210.220/
                      Source: unknownHTTP traffic detected: POST / HTTP/1.1Host: 192.46.210.220Content-Length: 4814Connection: CloseCache-Control: no-cache
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA239F9 InternetReadFile,0_2_6EA239F9
                      Source: unknownHTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49743 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 192.46.210.220:443 -> 192.168.2.3:49744 version: TLS 1.2

                      E-Banking Fraud:

                      barindex
                      Yara detected Dridex unpacked fileShow sources
                      Source: Yara matchFile source: 3.3.rundll32.exe.475db55.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.475db55.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.492db55.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.342db55.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.413db55.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.9fdb55.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.413db55.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.492db55.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.9fdb55.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.342db55.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.6e9f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000003.429863191.0000000003410000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.404224619.0000000004740000.00000040.00000010.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.690890687.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.690396403.000000006E9F1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.420461174.0000000004120000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000003.396279024.0000000004910000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.431718268.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
                      Detected Dridex e-Banking trojanShow sources
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F51A7 OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,0_2_6E9F51A7

                      System Summary:

                      barindex
                      Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllJoe Sandbox Cloud Basic: Detection: malicious Score: 88 Threat Name: DridexPerma Link
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA067C80_2_6EA067C8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA08AB00_2_6EA08AB0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA126B00_2_6EA126B0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA11EB00_2_6EA11EB0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0AE800_2_6EA0AE80
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0F6E00_2_6EA0F6E0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F6AD00_2_6E9F6AD0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA08EF00_2_6EA08EF0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0B6F00_2_6EA0B6F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA162F00_2_6EA162F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA13EC00_2_6EA13EC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1FA100_2_6EA1FA10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA096D00_2_6EA096D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA102200_2_6EA10220
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1D6200_2_6EA1D620
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9FCA100_2_6E9FCA10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1FA100_2_6EA1FA10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0A6600_2_6EA0A660
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA176600_2_6EA17660
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA12E600_2_6EA12E60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9FB2540_2_6E9FB254
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA09E700_2_6EA09E70
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA112400_2_6EA11240
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F9E700_2_6E9F9E70
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E9F17840_2_6E9F1784
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0E3F00_2_6EA0E3F0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA083C00_2_6EA083C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA07FC00_2_6EA07FC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA17FC00_2_6EA17FC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA117300_2_6EA11730
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA13B000_2_6EA13B00
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA19B100_2_6EA19B10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA05B600_2_6EA05B60
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0BF500_2_6EA0BF50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0E0A00_2_6EA0E0A0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA14CA00_2_6EA14CA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA150A00_2_6EA150A0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1DCA00_2_6EA1DCA0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA15CB00_2_6EA15CB0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA088C00_2_6EA088C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA08CC00_2_6EA08CC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0A0D00_2_6EA0A0D0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA098DA0_2_6EA098DA
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA110200_2_6EA11020
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0D0300_2_6EA0D030
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0D9800_2_6EA0D980
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1D1800_2_6EA1D180
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA0C5900_2_6EA0C590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA3E2103_2_6EA3E210
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA022A0 NtDelayExecution,0_2_6EA022A0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1BE30 NtClose,0_2_6EA1BE30
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllReversingLabs: Detection: 18%
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Earth
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Masterjust
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,BluewingJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,EarthJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,MasterjustJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                      Source: classification engineClassification label: mal92.bank.troj.evad.winDLL@11/1@0/4
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll,Bluewing
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic file information: File size 1375232 > 1048576
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: SecuriteInfo.com.Variant.Razy.980776.8232.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: c:\Gun\208-town\521\exa\botto\party.pdb source: loaddll32.exe, 00000000.00000002.690574263.000000006EAB7000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.691096574.000000006EAB7000.00000002.00020000.sdmp, SecuriteInfo.com.Variant.Razy.980776.8232.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,OutputDebugStringA,Sleep,OutputDebugStringA,GetAdaptersInfo,0_2_6E9F51A7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA03930 GetTokenInformation,GetTokenInformation,GetSystemInfo,GetTokenInformation,0_2_6EA03930
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA1CEF8 FindFirstFileExW,0_2_6EA1CEF8
                      Source: loaddll32.exe, 00000000.00000002.689683727.000000000094C000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA363A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6EA363A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA68B60 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,3_2_6EA68B60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA647C0 mov ecx, dword ptr fs:[00000030h]3_2_6EA647C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EB3BA72 mov eax, dword ptr fs:[00000030h]3_2_6EB3BA72
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EB3B64D push dword ptr fs:[00000030h]3_2_6EB3B64D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EB3B942 mov eax, dword ptr fs:[00000030h]3_2_6EB3B942
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA06C50 KiUserExceptionDispatcher,LdrLoadDll,0_2_6EA06C50
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA07A60 RtlAddVectoredExceptionHandler,0_2_6EA07A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6EA363A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6EA363A0

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 45.77.0.96 235Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.56.219.47 180Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 192.46.210.220 187Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 143.244.140.214 40Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.980776.8232.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.690065461.00000000014A0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.690497841.0000000003330000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6EA81E60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6EA81F40
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetACP,GetLocaleInfoW,3_2_6EA82750
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6EA6B0B0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6EA6BC30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6EA81DB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6EA82960
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6EA02980 GetUserNameW,0_2_6EA02980

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection112Process Injection112OS Credential DumpingSecurity Software Discovery21Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerAccount Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Owner/User Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery23Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values