Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

Overview

General Information

Sample Name:SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
Analysis ID:544184
MD5:d633b0989e97dc05b09b6233fb53cf37
SHA1:6e5a7f0493fea40bd213209ad06f4dd9069969ed
SHA256:03ba158e40b1f9c80c0430cd9a06f00bcbddd3826a5965fccb4ac5b242b91a2c
Tags:dllDridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6168 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1228 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4232 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 4696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.0.rundll32.exe.6f500000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            1.2.loaddll32.exe.6f500000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              4.2.rundll32.exe.6f500000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                4.0.rundll32.exe.6f500000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Call by OrdinalShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1228, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1, ProcessId: 4232

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 1.2.loaddll32.exe.6f500000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllReversingLabs: Detection: 30%
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.357261352.000000000526F000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb5 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb3 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb9 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: winspool.pdb+ source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbA source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb' source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb- source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 144.91.122.102:443
                  Source: Malware configuration extractorIPs: 85.10.248.28:593
                  Source: Malware configuration extractorIPs: 185.4.135.27:5228
                  Source: Malware configuration extractorIPs: 80.211.3.13:8116
                  Source: Joe Sandbox ViewASN Name: TOPHOSTGR TOPHOSTGR
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
                  Source: Joe Sandbox ViewIP Address: 185.4.135.27 185.4.135.27
                  Source: Joe Sandbox ViewIP Address: 85.10.248.28 85.10.248.28
                  Source: Joe Sandbox ViewIP Address: 80.211.3.13 80.211.3.13
                  Source: WerFault.exe, 00000007.00000002.392906912.0000000005267000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390686455.0000000005267000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390854783.0000000005267000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.c
                  Source: WerFault.exe, 00000007.00000002.392821249.00000000051D8000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390936309.00000000051D8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                  Source: loaddll32.exe, 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352722173.000000006F51F000.00000002.00020000.sdmpString found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 4.0.rundll32.exe.6f500000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.loaddll32.exe.6f500000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6f500000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.0.rundll32.exe.6f500000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllBinary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F510730
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F519370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F51143C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F508428
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F50A4E8
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F501494
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F512234 NtDelayExecution,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F512820 NtAllocateVirtualMemory,
                  Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllReversingLabs: Detection: 30%
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4232
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D7.tmpJump to behavior
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@6/6@0/4
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.357261352.000000000526F000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: powrprof.pdb5 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb3 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb9 source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: winspool.pdb+ source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdbA source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb' source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000001.00000003.355098494.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: setupapi.pdb- source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.362705058.0000000005660000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.362713341.0000000005666000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.362697511.0000000005531000.00000004.00000001.sdmp
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F50F6A8 push esi; mov dword ptr [esp], 00000000h
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
                  Source: C:\Windows\SysWOW64\WerFault.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion:

                  barindex
                  Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1136
                  Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1136
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F510730 GetTokenInformation,GetSystemInfo,GetTokenInformation,
                  Source: Amcache.hve.7.drBinary or memory string: VMware
                  Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af
                  Source: WerFault.exe, 00000007.00000002.392769142.00000000051A0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH#
                  Source: Amcache.hve.7.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.7.drBinary or memory string: VMware7,1
                  Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: WerFault.exe, 00000007.00000002.392807664.00000000051CA000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.390922886.00000000051CA000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.me
                  Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPort
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F506D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F513138 RtlAddVectoredExceptionHandler,
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                  Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
                  Source: loaddll32.exe, 00000001.00000002.738185203.0000000001C60000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352389170.0000000002EA0000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.350074236.0000000002EA0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                  Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_6F506D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,
                  Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion11OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery31Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerVirtualization/Sandbox Evasion11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544184 Sample: SecuriteInfo.com.W32.AIDete... Startdate: 22/12/2021 Architecture: WINDOWS Score: 76 18 185.4.135.27 TOPHOSTGR Greece 2->18 20 85.10.248.28 HETZNER-ASDE Germany 2->20 22 2 other IPs or domains 2->22 24 Found malware configuration 2->24 26 Multi AV Scanner detection for submitted file 2->26 28 Yara detected Dridex unpacked file 2->28 30 2 other signatures 2->30 9 loaddll32.exe 1 2->9         started        signatures3 process4 signatures5 32 Tries to delay execution (extensive OutputDebugStringW loop) 9->32 12 cmd.exe 1 9->12         started        process6 process7 14 rundll32.exe 12->14         started        process8 16 WerFault.exe 23 9 14->16         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.W32.AIDetect.malware1.23460.dll30%ReversingLabsWin32.Worm.Cridex

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  SourceDetectionScannerLabelLinkDownload
                  4.0.rundll32.exe.2a90000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.2.rundll32.exe.2a90000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  1.2.loaddll32.exe.6f500000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.2.rundll32.exe.6f500000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  1.2.loaddll32.exe.1580000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.0.rundll32.exe.6f500000.2.unpack100%AviraHEUR/AGEN.1144420Download File
                  4.0.rundll32.exe.2a90000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                  4.0.rundll32.exe.6f500000.5.unpack100%AviraHEUR/AGEN.1144420Download File

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://www.n4pkg6fy8o.gaDVarFileInfo$0%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://upx.sf.netAmcache.hve.7.drfalse
                    high
                    http://www.n4pkg6fy8o.gaDVarFileInfo$loaddll32.exe, 00000001.00000002.739123881.000000006F51F000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000000.352722173.000000006F51F000.00000002.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    low

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    185.4.135.27
                    unknownGreece
                    199246TOPHOSTGRtrue
                    85.10.248.28
                    unknownGermany
                    24940HETZNER-ASDEtrue
                    80.211.3.13
                    unknownItaly
                    31034ARUBA-ASNITtrue
                    144.91.122.102
                    unknownGermany
                    51167CONTABODEtrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:544184
                    Start date:22.12.2021
                    Start time:20:18:38
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 7m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Run name:Run with higher sleep bypass
                    Number of analysed new started processes analysed:25
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winDLL@6/6@0/4
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 96.2% (good quality ratio 93.8%)
                    • Quality average: 79.5%
                    • Quality standard deviation: 25.7%
                    HCA Information:Failed
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Sleeps bigger than 120000ms are automatically reduced to 1000ms
                    • Found application associated with file extension: .dll
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded IPs from analysis (whitelisted): 23.54.113.53, 13.89.179.12
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information
                    • VT rate limit hit for: SecuriteInfo.com.W32.AIDetect.malware1.23460.dll

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_435bf9987f6a7ee95ec1aabecf98fbf5b0b7b2_82810a17_13c89011\Report.wer
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):65536
                    Entropy (8bit):0.922046286040136
                    Encrypted:false
                    SSDEEP:192:kuif0oXD5/HBUZMX4jed+uf/u7sQS274ItWc:xihXD5/BUZMX4jeDf/u7sQX4ItWc
                    MD5:528060B5278288935D8E6E6CF8D7AA55
                    SHA1:FF1EF30180D490BB6A85C15D68F2B1119475EA94
                    SHA-256:C4D626A7AF577A1F8EBCD56B59087B49387B53CBD5A04428F9B6D298F1CF35B4
                    SHA-512:723AA4D573412B9810A4150B22E4776C1B986D57AC2671135709ED76EABFC1D94E8A1A1E2AA8BAC2FB31A0E6E53A8AEC1D188A1D562290ABC533D1B57076B0DA
                    Malicious:false
                    Reputation:low
                    Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.4.7.0.6.7.8.2.5.9.7.9.6.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.4.7.0.6.7.9.5.9.1.0.3.3.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.8.d.2.f.6.9.-.4.1.8.2.-.4.e.f.4.-.9.f.9.8.-.c.c.2.4.b.8.2.2.e.b.4.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.1.f.7.1.5.7.-.7.5.1.3.-.4.3.4.d.-.b.2.2.3.-.0.8.1.c.8.5.0.e.7.7.7.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.8.-.0.0.0.1.-.0.0.1.7.-.e.0.3.e.-.2.4.4.b.b.4.f.7.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER55D7.tmp.dmp
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:Mini DuMP crash report, 14 streams, Thu Dec 23 04:19:44 2021, 0x1205a4 type
                    Category:dropped
                    Size (bytes):45716
                    Entropy (8bit):2.1093383506020773
                    Encrypted:false
                    SSDEEP:192:Jw7nbKPGzO5SkbmQvomqJuK1J2Ba/9dU9nEQ:mg5Lbpgmm19/9diL
                    MD5:BDCA39B95DCCA06B3BC45BF211957E91
                    SHA1:68BC6890AC691D3D2F409C14E2C4460A546FB14B
                    SHA-256:0D370B79901BC4C5146EE15791B426EEA3E2F468C0E1EE5033410DB53F1B7794
                    SHA-512:8A43057934049A0DF909028404F23115F4C255CF9D0280FF10537733B2E9183F62C0782EE207659E99F276D6C09DB28D17989C268A28B0CC3785FB0042509154
                    Malicious:false
                    Reputation:low
                    Preview: MDMP....... ..........a.........................................-..........T.......8...........T...........@...T............................................................................................U...........B...... .......GenuineIntelW...........T..............a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D4A.tmp.WERInternalMetadata.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):8326
                    Entropy (8bit):3.693310442719386
                    Encrypted:false
                    SSDEEP:192:Rrl7r3GLNiqf67Og9sTk6Y6z6AgmfT/mS/I4CprX89blssfbXm:RrlsNii6L6Y+6AgmfT/mS9l/fC
                    MD5:0A7BC57EF58024A7A991B0B14B694B99
                    SHA1:85AF48EF4DFA78D86ADAE9794F4BD40C44E48946
                    SHA-256:156B0D27C80F18941CFCE06A2F78C31439DA7BC751E27979B14FF557020C94A1
                    SHA-512:01265703B4D0FBF63C46786555DFAB0301789E18692CCEEFE0DE45C9DF453059125B4CCEAFC39820BB452C2347EFF85FCBB87264AF354CD6B2081EB92F65D4AD
                    Malicious:false
                    Reputation:low
                    Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.3.2.<./.P.i.d.>.......
                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER6097.tmp.xml
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4698
                    Entropy (8bit):4.490534423613956
                    Encrypted:false
                    SSDEEP:48:cvIwSD8zsRJgtWI9RtWSC8B+8fm8M4JCdsD6hF5+q8/QYB754SrSSd:uITfjqcSNRJlqVU5DWSd
                    MD5:671F09B31CC9A830D437045318954C3A
                    SHA1:268D9552435BD588930BAA6FE561B848A93039A7
                    SHA-256:E1CCEF37FF3FFDA37AE3F4434CEEFC4A4B7DAC35C8243AF7A015A6FDECC65B2E
                    SHA-512:3DB8207532713FB5BC8326BAA9024E6004F5564F2BC31B73AC5D1ED148267FA8BA9520E0FD791EEAD8A6BE89B240E389347598D44AE98315C397EBA4138034F3
                    Malicious:false
                    Reputation:low
                    Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1309770" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                    C:\Windows\appcompat\Programs\Amcache.hve
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):1572864
                    Entropy (8bit):4.219198579898536
                    Encrypted:false
                    SSDEEP:12288:wnlDQ2UkoV/2qweb5Qnxbrmkk7I9ln/2VugiFlEkamEf2/6zfmBTS0:wlDQ2UkoV/nwebSaYlqu
                    MD5:1FDF042991087FEB000304EDE09873FD
                    SHA1:86F4A5960772839EB54FACAF2EB0AEE18D2E0C47
                    SHA-256:F12745B570720D489952167E0305BE1D9285D956AC9B570F8BF294FA0ABB4EA9
                    SHA-512:8E4AA41021B04E494C19EA13CC5D3DCBA5E89F0B104E16D0664DC99E2D6A77CD461D01E6E0B8EBA9A010BD8CB2B3F80A698F15840223D31DA90801744EBAB422
                    Malicious:false
                    Reputation:low
                    Preview: regfV...V...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..1N.................................................................................................................................................................................................................................................................................................................................................5.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    C:\Windows\appcompat\Programs\Amcache.hve.LOG1
                    Process:C:\Windows\SysWOW64\WerFault.exe
                    File Type:MS Windows registry file, NT/2000 or above
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):3.5233007303433506
                    Encrypted:false
                    SSDEEP:384:RsA5NnIrnc8WTVgG1K0XQmnQIRNovOgl8:a2xAc80VgGU0X7nQIIvP
                    MD5:D13F80EEE1683F406026292ED83DF361
                    SHA1:809EFC26106DAF98C9B149AF9A1BB7EE8BA14BF3
                    SHA-256:6C6F3169DB17CA0E2B55FFD7ABEBAB7EF1807181C916243FFD86AA9426E067B7
                    SHA-512:9F35A8207DB3AD34A5ED40F7E6428859DEFB42C83A6824EB1381228C3DEC33502A091FE9E203D4562FFE7C07D967811DB4A814B2E995F421A69427FD9CABCDA4
                    Malicious:false
                    Reputation:low
                    Preview: regfU...U...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..1N.................................................................................................................................................................................................................................................................................................................................................5.HvLE.N......U............w..{..qx@?..Q`_.................`... ..hbin................p.\..,..........nk,.z3BN.................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .z3BN........ ........................... .......Z.......................Root........lf......Root....nk .z3BN.....................}.............. ...............*...............DeviceCensus........................vk..................WritePermissionsCheck.......p...

                    Static File Info

                    General

                    File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.322432304733337
                    TrID:
                    • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                    • Generic Win/DOS Executable (2004/3) 0.20%
                    • DOS Executable Generic (2002/1) 0.20%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:SecuriteInfo.com.W32.AIDetect.malware1.23460.dll
                    File size:544768
                    MD5:d633b0989e97dc05b09b6233fb53cf37
                    SHA1:6e5a7f0493fea40bd213209ad06f4dd9069969ed
                    SHA256:03ba158e40b1f9c80c0430cd9a06f00bcbddd3826a5965fccb4ac5b242b91a2c
                    SHA512:28a594e2f150c7f9a970f068072fe92bcc4c08dc28893023675fec9ea60926c36c044f8200ff6b5759c6173a2ab3771fa18545c3fa8b9c5328ff54e615eb705c
                    SSDEEP:6144:0k+RYf/Mv1UvT4vjYf/Glpov3KvfMvLo+jwHk3UryzU3+R7ff4evm35IQku4+pMs:0kt2UAogoOwhx7nA4+pMTg
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R...<...<...<..k....<...=.S.<.=.....<.......<.......<.t.?...<.t.=.4.<.L.9...<.t...0.<..k....<..0..x.<.......<..1....<..k....<

                    File Icon

                    Icon Hash:74f0e4ecccdce0e4

                    Static PE Info

                    General

                    Entrypoint:0x10004db0
                    Entrypoint Section:.rdata
                    Digitally signed:false
                    Imagebase:0x10000000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x61C2E245 [Wed Dec 22 08:31:01 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:0
                    File Version Major:5
                    File Version Minor:0
                    Subsystem Version Major:5
                    Subsystem Version Minor:0
                    Import Hash:e980d287af7ef0ccd616c6efb9daaae8

                    Entrypoint Preview

                    Instruction
                    inc eax
                    mov edx, 00000003h
                    cmpps xmm1, xmm0, 02h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    add edx, 04h
                    jmp 00007F13889AB931h
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    int3
                    push ebp
                    mov ebp, esp
                    push esi
                    push edi
                    push ebx
                    and esp, FFFFFFF8h
                    sub esp, 00000090h
                    mov eax, dword ptr [ebp+08h]
                    mov byte ptr [esp+00000083h], 00000064h
                    mov dword ptr [esp+70h], 02263442h
                    mov dword ptr [esp+44h], eax
                    call 00007F13889AF4BAh
                    mov ecx, eax
                    mov edx, eax
                    mov esi, dword ptr [eax+3Ch]
                    movzx edi, word ptr [esp+0000008Ah]
                    mov bx, di
                    mov dword ptr [esp+40h], eax
                    mov eax, edi
                    xor eax, 0000E2E7h
                    mov word ptr [esp+3Eh], ax
                    mov al, byte ptr [esp+77h]
                    mov byte ptr [esp+3Dh], al
                    mov eax, dword ptr [esp+00000084h]
                    mov dword ptr [esp+38h], esi
                    mov si, word ptr [esp+3Eh]
                    mov word ptr [eax+eax+00000000h], si

                    Rich Headers

                    Programming Language:
                    • [IMP] VS2015 UPD1 build 23506
                    • [C++] VS2012 UPD1 build 51106
                    • [ASM] VS2012 build 50727
                    • [ASM] VS2012 UPD2 build 60315
                    • [LNK] VS2010 SP1 build 40219
                    • [EXP] VS2010 SP1 build 40219
                    • [RES] VS2015 UPD1 build 23506
                    • [IMP] VS2010 build 30319
                    • [ASM] VS2015 UPD1 build 23506
                    • [C++] VS2017 v15.5.4 build 25834
                    • [EXP] VS2012 UPD4 build 61030
                    • [C++] VS2008 build 21022
                    • [ASM] VS2010 SP1 build 40219

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x7c0290x60.rdata
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x7c08c0x78.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x840000x2f0.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x850000x1138.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x60300x38.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x44.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .rdata0x10000x6b2e0x7000False0.391671316964data4.4813428029IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x80000x7424e0x75000False0.316216362847data7.44062865664IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x7d0000x61900x5000False0.24609375data5.03782298504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .rsrc0x840000x2f00x1000False0.09033203125data0.789164600932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x850000x11380x2000False0.2421875data4.12390144992IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0x840600x290MS Windows COFF PA-RISC object fileEnglishUnited States

                    Imports

                    DLLImport
                    WINSPOOL.DRVEnumFormsW
                    ADVAPI32.dllRegCloseKey, QueryServiceStatusEx, AccessCheck
                    WS2_32.dllWSACleanup
                    USER32.dllGetWindowTextA
                    KERNEL32.dllCloseHandle, GetModuleHandleW, GetFileSize, OutputDebugStringA, IsDebuggerPresent, GetModuleFileNameW

                    Version Infos

                    DescriptionData
                    OriginalFilenameIha.dll
                    FileDescriptionOracle Call Interface
                    FileVersion2.3.7.0.0
                    Legal CopyrightCopyright Oracle Corporation 1979, 2001. All rights reserved.
                    CompanyNameOracle Corporation
                    Translation0x0409 0x04b0

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    No network behavior found

                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:20:19:35
                    Start date:22/12/2021
                    Path:C:\Windows\System32\loaddll32.exe
                    Wow64 process (32bit):true
                    Commandline:loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll"
                    Imagebase:0xad0000
                    File size:116736 bytes
                    MD5 hash:7DEB5DB86C0AC789123DEC286286B938
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000001.00000002.738911371.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:moderate

                    General

                    Start time:20:19:35
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                    Imagebase:0x2a0000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:20:19:35
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\rundll32.exe
                    Wow64 process (32bit):true
                    Commandline:rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware1.23460.dll",#1
                    Imagebase:0x200000
                    File size:61952 bytes
                    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.351015506.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000002.395029698.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000004.00000000.352673706.000000006F501000.00000020.00020000.sdmp, Author: Joe Security
                    Reputation:high

                    General

                    Start time:20:19:39
                    Start date:22/12/2021
                    Path:C:\Windows\SysWOW64\WerFault.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 684
                    Imagebase:0x3c0000
                    File size:434592 bytes
                    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >