{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
Source: Process started | Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3456, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1, ProcessId: 6228 |
Source: 0.2.loaddll32.exe.6ee70000.2.unpack | Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]} |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Virustotal: Detection: 18% | Perma Link |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | ReversingLabs: Detection: 25% |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.254871536.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.254871536.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll |
Source: Malware configuration extractor | IPs: 144.91.122.102:443 |
Source: Malware configuration extractor | IPs: 85.10.248.28:593 |
Source: Malware configuration extractor | IPs: 185.4.135.27:5228 |
Source: Malware configuration extractor | IPs: 80.211.3.13:8116 |
Source: Joe Sandbox View | ASN Name: TOPHOSTGR TOPHOSTGR |
Source: Joe Sandbox View | ASN Name: HETZNER-ASDE HETZNER-ASDE |
Source: Joe Sandbox View | IP Address: 185.4.135.27 185.4.135.27 |
Source: Joe Sandbox View | IP Address: 85.10.248.28 85.10.248.28 |
Source: Amcache.hve.4.dr | String found in binary or memory: http://upx.sf.net |
Source: loaddll32.exe, 00000000.00000002.771526094.000000006EE8F000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.250970450.000000006EE8F000.00000002.00020000.sdmp | String found in binary or memory: http://www.n4pkg6fy8o.gaDVarFileInfo$ |
Source: loaddll32.exe, 00000000.00000002.770222556.0000000000B8B000.00000004.00000020.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> |
Source: Yara match | File source: 0.2.loaddll32.exe.6ee70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.rundll32.exe.6ee70000.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.2.rundll32.exe.6ee70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 2.0.rundll32.exe.6ee70000.2.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000002.00000000.252876779.000000006EE71000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.771472500.000000006EE71000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000000.250806872.000000006EE71000.00000020.00020000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.268170869.000000006EE71000.00000020.00020000.sdmp, type: MEMORY |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Binary or memory string: OriginalFilenameIha.dllD vs SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 684 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE80730 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE89370 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE7A4E8 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE71494 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE78428 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE8143C |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE82234 NtDelayExecution, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE82820 NtAllocateVirtualMemory, |
Source: C:\Windows\System32\loaddll32.exe | Process Stats: CPU usage > 98% |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Virustotal: Detection: 18% |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | ReversingLabs: Detection: 25% |
Source: C:\Windows\System32\loaddll32.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: unknown | Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll" |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6228 -s 684 |
Source: C:\Windows\System32\loaddll32.exe | Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6228 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERC93C.tmp | Jump to behavior |
Source: classification engine | Classification label: mal76.troj.evad.winDLL@6/6@0/4 |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: | Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.254871536.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.254871536.000000004B280000.00000004.00000001.sdmp |
Source: | Binary string: RFFGTEQ.pdb source: SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE7F6A8 push esi; mov dword ptr [esp], 00000000h |
Source: initial sample | Static PE information: section where entry point is pointing to: .rdata |
Source: C:\Windows\SysWOW64\WerFault.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Windows\SysWOW64\rundll32.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\loaddll32.exe | Section loaded: OutputDebugStringW count: 1647 |
Source: C:\Windows\System32\loaddll32.exe | Window / User API: threadDelayed 1647 |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE80730 GetTokenInformation,GetSystemInfo,GetTokenInformation, |
Source: Amcache.hve.4.dr | Binary or memory string: VMware |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc. |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.4.dr | Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.4.dr | Binary or memory string: VMware7,1 |
Source: Amcache.hve.4.dr | Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.4.dr | Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.4.dr | Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.4.dr | Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.4.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.4.dr | Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71 |
Source: Amcache.hve.4.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\SysWOW64\rundll32.exe | Process queried: DebugPort |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE76D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE83138 RtlAddVectoredExceptionHandler, |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.BehavesLike.Win32.Drixed.hc.23689.dll",#1 |
Source: loaddll32.exe, 00000000.00000002.770501815.0000000001110000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.249507600.00000000035F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.252582254.00000000035F0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd |
Source: loaddll32.exe, 00000000.00000002.770501815.0000000001110000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.249507600.00000000035F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.252582254.00000000035F0000.00000002.00020000.sdmp | Binary or memory string: Progman |
Source: loaddll32.exe, 00000000.00000002.770501815.0000000001110000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.249507600.00000000035F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.252582254.00000000035F0000.00000002.00020000.sdmp | Binary or memory string: SProgram Managerl |
Source: loaddll32.exe, 00000000.00000002.770501815.0000000001110000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.249507600.00000000035F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.252582254.00000000035F0000.00000002.00020000.sdmp | Binary or memory string: Shell_TrayWnd, |
Source: loaddll32.exe, 00000000.00000002.770501815.0000000001110000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.249507600.00000000035F0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.252582254.00000000035F0000.00000002.00020000.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\System32\loaddll32.exe | Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: C:\Windows\System32\loaddll32.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Source: C:\Windows\System32\loaddll32.exe | Code function: 0_2_6EE76D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
Source: Amcache.hve.4.dr | Binary or memory string: msmpeng.exe |
Source: Amcache.hve.4.dr | Binary or memory string: c:\program files\windows defender\msmpeng.exe |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.