Loading ...

Play interactive tourEdit tour

Windows Analysis Report triage_dropped_file

Overview

General Information

Sample Name:triage_dropped_file (renamed file extension from none to dll)
Analysis ID:544201
MD5:232a73868213c05f54359f7d7c5d349f
SHA1:2de77f30b087dfb182e414c341c6d6426e752fd9
SHA256:47738cc4c2025a2f4655695777fabde7c80bf272406b4dd89efbfab34ff5780b
Tags:22201dlldridex
Infos:

Most interesting Screenshot:

Detection

Dridex
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Tries to delay execution (extensive OutputDebugStringW loop)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
One or more processes crash
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
Entry point lies outside standard sections
Abnormal high CPU Usage

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4388 cmdline: loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 2920 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5340 cmdline: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5112 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.669892514.000000006E7C1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
    00000003.00000000.672146465.000000006E7C1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
      00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
        00000003.00000002.703106750.000000006E7C1000.00000020.00020000.sdmpJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.0.rundll32.exe.6e7c0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
            3.0.rundll32.exe.6e7c0000.5.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
              3.2.rundll32.exe.6e7c0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security
                0.2.loaddll32.exe.6e7c0000.2.unpackJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

                  Sigma Overview

                  System Summary:

                  barindex
                  Sigma detected: Suspicious Call by OrdinalShow sources
                  Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2920, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1, ProcessId: 5340

                  Jbx Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 3.2.rundll32.exe.6e7c0000.2.unpackMalware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: triage_dropped_file.dllVirustotal: Detection: 21%Perma Link
                  Source: triage_dropped_file.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: triage_dropped_file.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.676927759.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676279098.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677824311.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677706288.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdbc source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbW source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb; source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdbO source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp
                  Source: Binary string: dwmapi.pdbr source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb8 source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb[ source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdbe source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdbA source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbi source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb] source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorIPs: 144.91.122.102:443
                  Source: Malware configuration extractorIPs: 85.10.248.28:593
                  Source: Malware configuration extractorIPs: 185.4.135.27:5228
                  Source: Malware configuration extractorIPs: 80.211.3.13:8116
                  Source: Joe Sandbox ViewASN Name: TOPHOSTGR TOPHOSTGR
                  Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
                  Source: Joe Sandbox ViewIP Address: 185.4.135.27 185.4.135.27
                  Source: Joe Sandbox ViewIP Address: 85.10.248.28 85.10.248.28
                  Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: Amcache.hve.7.drString found in binary or memory: http://upx.sf.net
                  Source: loaddll32.exe, 00000000.00000002.1190003602.000000006E7DF000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.703186360.000000006E7DF000.00000002.00020000.sdmpString found in binary or memory: http://www.forex-broker.websiteDVarFileInfo$

                  E-Banking Fraud:

                  barindex
                  Yara detected Dridex unpacked fileShow sources
                  Source: Yara matchFile source: 3.0.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.0.rundll32.exe.6e7c0000.5.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.loaddll32.exe.6e7c0000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000000.669892514.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000000.672146465.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1189977007.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.703106750.000000006E7C1000.00000020.00020000.sdmp, type: MEMORY

                  System Summary:

                  barindex
                  Source: triage_dropped_file.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: triage_dropped_file.dllBinary or memory string: OriginalFilenameIha.dllD vs triage_dropped_file.dll
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D07300_2_6E7D0730
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D93700_2_6E7D9370
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D143C0_2_6E7D143C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C84280_2_6E7C8428
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7CA4E80_2_6E7CA4E8
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C14940_2_6E7C1494
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D2234 NtDelayExecution,0_2_6E7D2234
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D2820 NtAllocateVirtualMemory,0_2_6E7D2820
                  Source: C:\Windows\System32\loaddll32.exeProcess Stats: CPU usage > 98%
                  Source: triage_dropped_file.dllVirustotal: Detection: 21%
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll"
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 684
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1Jump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5340
                  Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER747.tmpJump to behavior
                  Source: classification engineClassification label: mal76.troj.evad.winDLL@6/6@0/4
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: triage_dropped_file.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: triage_dropped_file.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000007.00000003.676927759.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676279098.000000000498C000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677824311.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677706288.000000000498D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdbc source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: advapi32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: shell32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdbW source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wimm32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: setupapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: mpr.pdb; source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wsspicli.pdbO source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: RFFGTEQ.pdb source: triage_dropped_file.dll
                  Source: Binary string: shcore.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdb( source: WerFault.exe, 00000007.00000003.676602249.000000000098F000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.677581016.000000000098F000.00000004.00000001.sdmp
                  Source: Binary string: dwmapi.pdbr source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: profapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shell32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb8 source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sechost.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: propsys.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.674327530.000000004B280000.00000004.00000001.sdmp
                  Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: oleaut32.pdbq source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: powrprof.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: msctf.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: fltLib.pdb[ source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: shlwapi.pdbe source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc_os.pdbA source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: winspool.pdbi source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 00000007.00000003.677096028.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676634581.000000000099B000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000003.676854151.000000000099B000.00000004.00000001.sdmp
                  Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000007.00000003.681654140.0000000004E30000.00000004.00000040.sdmp
                  Source: Binary string: combase.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: rundll32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: sfc.pdb source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: Binary string: apphelp.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: wuser32.pdb source: WerFault.exe, 00000007.00000003.681649017.0000000004C51000.00000004.00000001.sdmp
                  Source: Binary string: sechost.pdb] source: WerFault.exe, 00000007.00000003.681660541.0000000004E36000.00000004.00000040.sdmp
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7CF6A8 push esi; mov dword ptr [esp], 00000000h0_2_6E7CF6A9
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .rdata
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to delay execution (extensive OutputDebugStringW loop)Show sources
                  Source: C:\Windows\System32\loaddll32.exeSection loaded: OutputDebugStringW count: 1625
                  Source: C:\Windows\System32\loaddll32.exeWindow / User API: threadDelayed 1625Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D0730 GetTokenInformation,GetSystemInfo,GetTokenInformation,0_2_6E7D0730
                  Source: Amcache.hve.7.drBinary or memory string: VMware
                  Source: Amcache.hve.7.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual USB Mouse
                  Source: Amcache.hve.7.drBinary or memory string: VMware-42 35 9c fb 73 fa 4e 1b-fb a4 60 e7 7b e5 4a ed
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                  Source: Amcache.hve.7.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.7.drBinary or memory string: VMware7,1
                  Source: Amcache.hve.7.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.7.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.7.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.7.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: Amcache.hve.7.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: WerFault.exe, 00000007.00000002.697619692.00000000048FC000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWH
                  Source: Amcache.hve.7.drBinary or memory string: VMware, Inc.me
                  Source: Amcache.hve.7.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                  Source: WerFault.exe, 00000007.00000003.693316382.000000000499D000.00000004.00000001.sdmp, WerFault.exe, 00000007.00000002.699046693.000000000499D000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                  Source: Amcache.hve.7.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6E7C6D0C
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7D3138 RtlAddVectoredExceptionHandler,0_2_6E7D3138
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\triage_dropped_file.dll",#1Jump to behavior
                  Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmpBinary or memory string: Program Manager
                  Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000000.00000002.1189841282.0000000001770000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.669444992.0000000003820000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.671592848.0000000003820000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6E7C6D0C
                  Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E7C6D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,0_2_6E7C6D0C
                  Source: Amcache.hve.7.drBinary or memory string: c:\program files\windows defender\msmpeng.exe

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery31Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet