Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Sample Name:	Pv3ZsGsdfS.dll
Analysis ID:	544850
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
Tags:	dll
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Entry point lies outside standard sections

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 3.0.rundll32.exe.6ec60000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}

Multi AV Scanner detection for submitted file

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%			Perma Link
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Compliance:

Uses 32bit PE files

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297548303.000000006EC7F000.00000002.00020000.sdmp	String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 3.2.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.297484396.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.299069466.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.335772232.000000006EC61000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: Pv3ZsGsdfS.dll

Binary or memory string: OriginalFilenameShi.dllD vs Pv3ZsGsdfS.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC70730	0_2_6EC70730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC79370	0_2_6EC79370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC6A4E8	0_2_6EC6A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC61494	0_2_6EC61494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC68428	0_2_6EC68428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC7143C	0_2_6EC7143C

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72234 NtDelayExecution,		0_2_6EC72234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72820 NtAllocateVirtualMemory,		0_2_6EC72820

Abnormal high CPU Usage

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4492

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER420B.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Pv3ZsGsdfS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC6F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6EC6F6A9

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1594

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1594

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC70730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6EC70730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.333084314.0000000004C10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWS Packet Scheduler-0000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC66D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC73138 RtlAddVectoredExceptionHandler,

0_2_6EC73138

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6EC66D0C

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: procexp.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.4.135.27	unknown	Greece	199246	TOPHOSTGR	true
85.10.248.28	unknown	Germany	24940	HETZNER-ASDE	true
80.211.3.13	unknown	Italy	31034	ARUBA-ASNIT	true
144.91.122.102	unknown	Germany	51167	CONTABODE	true

AV Detection:

Found malware configuration

Source: 3.0.rundll32.exe.6ec60000.5.unpack

Multi AV Scanner detection for submitted file

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%			Perma Link
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Compliance:

Uses 32bit PE files

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 144.91.122.102:443
Source: Malware configuration extractor	IPs: 85.10.248.28:593
Source: Malware configuration extractor	IPs: 185.4.135.27:5228
Source: Malware configuration extractor	IPs: 80.211.3.13:8116

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: TOPHOSTGR TOPHOSTGR
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View	IP Address: 85.10.248.28 85.10.248.28

Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: loaddll32.exe, 00000000.00000002.817479037.000000006EC7F000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297548303.000000006EC7F000.00000002.00020000.sdmp	String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 3.2.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ec60000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.297484396.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.299069466.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.817398169.000000006EC61000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.335772232.000000006EC61000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Uses 32bit PE files

Source: Pv3ZsGsdfS.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Sample file is different than original file name gathered from version info

Source: Pv3ZsGsdfS.dll

Binary or memory string: OriginalFilenameShi.dllD vs Pv3ZsGsdfS.dll

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC70730	0_2_6EC70730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC79370	0_2_6EC79370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC6A4E8	0_2_6EC6A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC61494	0_2_6EC61494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC68428	0_2_6EC68428
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC7143C	0_2_6EC7143C

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72234 NtDelayExecution,		0_2_6EC72234
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6EC72820 NtAllocateVirtualMemory,		0_2_6EC72820

Abnormal high CPU Usage

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: Pv3ZsGsdfS.dll	Virustotal: Detection: 29%
Source: Pv3ZsGsdfS.dll	ReversingLabs: Detection: 34%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 676
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4492

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER420B.tmp

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winDLL@6/6@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Pv3ZsGsdfS.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Pv3ZsGsdfS.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308222628.0000000004CDF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 00000006.00000002.331836488.0000000000AA2000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308246821.0000000002DFF000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdbk source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb&ME source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbgX source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: setupapi.pdb2MY source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: RFFGTEQ.pdb source: Pv3ZsGsdfS.dll
Source:	Binary string: shcore.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.301339614.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdb\ source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sfc.pdb_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 00000006.00000003.308408730.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308332357.0000000002E0B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308259118.0000000002E0B000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 00000006.00000003.314222507.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 00000006.00000003.308533715.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308255759.0000000002E05000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.308328163.0000000002E05000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb MK source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 00000006.00000003.314209499.0000000005061000.00000004.00000001.sdmp
Source:	Binary string: sechost.pdb,M_ source: WerFault.exe, 00000006.00000003.314228621.0000000005036000.00000004.00000040.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC6F6A8 push esi; mov dword ptr [esp], 00000000h

0_2_6EC6F6A9

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 1594

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 1594

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC70730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

0_2_6EC70730

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000002.333084314.0000000004C10000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 35 d8 20 48 cb c7 ff-aa 5e d0 37 a0 49 53 d7
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: WerFault.exe, 00000006.00000002.333232466.0000000004C4B000.00000004.00000001.sdmp, WerFault.exe, 00000006.00000003.327130247.0000000004C4B000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWS Packet Scheduler-0000
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\System32\loaddll32.exe

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6EC73138 RtlAddVectoredExceptionHandler,

0_2_6EC73138

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Pv3ZsGsdfS.dll",#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.817211374.0000000001250000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.299018461.0000000003290000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.297349737.0000000003290000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe

0_2_6EC66D0C

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

0_2_6EC66D0C

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: c:\users\user\desktop\procexp.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr, Amcache.hve.LOG1.6.dr	Binary or memory string: procexp.exe

ID:	544850
Product:	CloudBasic
Start time:	09:13:23
Start date:	24.12.2021
Sample:	Pv3ZsGsdfS.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	63c22ce32346e029fa5a1ec1ae619d0f
SHA1:	222cf86c3b59f466292bb734be308cda77c3ddff
SHA256:	efbd76616dc1cd8210a8c54611f4ffa88e635f0f6ded2f8ff48311737635edda
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_20f54535b4fc1ad4777e2f126bb0718bcd6544b5_82810a17_13ded830\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	98DB725A67C1B8A5B6180CEE5CAE23C5	13EDF737166203F780F919FD7504AF39C248C91C	0B8587EBDE8B9CDF286B2424F2491CCBF835F66F6B9389F2702176969AE970DB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER420B.tmp.dmp	Mini DuMP crash report, 14 streams, Fri Dec 24 17:14:30 2021, 0x1205a4 type	79CC52BA1F0EDD26262D136E990D6984	E46079188D61F35B4E3D3ADFF6732DA30DB98E52	DC0508215AACCF947F0B30DCEDF4E964DDF68C4E875EC363791270DCC51349F0
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4C9B.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	C87774744C9A5569A446F9BF33806F1E	3A66302FCC41E42BA718CCC8758A62A18163BC33	511D0E9184E6E0C5BF06F83A2F9357D9C459A09CF7495F307FB657BFB6082BDA
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EEE.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	31E7146B51BA7ED555179C77D3D1E3E7	FEED34F987DE4DC45B91EF062770E97122CCDE9B	54F8D3359514FC8938C97263E2F3541F2B53B73A7BF329CFA4B7ACA811CAECC5
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	B92BBD7D35F32F74D0898172B4E83114	30DADB66C00264F0D67F842D94E81403083A27F9	97E33CBE253502A16CACAF286E2D77C2CFD250C50BB718BE5D95D8048CB52B81
C:\Windows\appcompat\Programs\Amcache.hve.LOG1	MS Windows registry file, NT/2000 or above	50450D0949002809FB441A3343BD4957	9CBBBAA5EEA9963EC22F69B7578FAD5D8981179A	69A6AE8B8F0D55BFAE3ED5C2483B501CF4A85B628528681601CE63FE3D35ADF3

Windows Analysis Report Pv3ZsGsdfS.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs