Play interactive tour

Edit tour

Windows Analysis Report hMUh2Mkqyi.dll

Overview

General Information

Sample Name:	hMUh2Mkqyi.dll
Analysis ID:	545441
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Dridex unpacked file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Call by Ordinal

Tries to delay execution (extensive OutputDebugStringW loop)

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

One or more processes crash

Tries to load missing DLLs

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 1132 cmdline: loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 4756 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 4884 cmdline: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5740 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 3980 cmdline: rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
0.2.loaddll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ed80000.2.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
2.0.rundll32.exe.6ed80000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
3.0.rundll32.exe.6ed80000.5.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Call by Ordinal

Show sources

Source: Process started

Author: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4756, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1, ProcessId: 4884

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 2.0.rundll32.exe.6ed80000.5.unpack

Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["104.36.167.47:443", "188.40.48.93:4664", "162.241.33.132:9217", "217.160.5.104:593"], "RC4 keys": ["MVvOFIilF0NXOL2BGlf3SZonbBup17KA", "6UfDOLUgX3hJ3XaposUIUiva9uclhs6fenw01keZT6Cxe8VImuG9Uw6F4mFEkE0ddDT1py8ABw"]}

Multi AV Scanner detection for submitted file

Show sources

Source: hMUh2Mkqyi.dll	Virustotal: Detection: 64%			Perma Link
Source: hMUh2Mkqyi.dll	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Show sources

Source: hMUh2Mkqyi.dll

Joe Sandbox ML: detected

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: oleaut32.pdb! source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318527592.00000000049C5000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.321398387.000000000536D000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb9 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbd source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb: source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.346110592.0000000000F42000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb" source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb' source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb# source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb- source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm source: WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbe source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb, source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbf source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: WINMMBASE.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb0 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb6 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000C.00000003.325584158.0000000005041000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb? source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 104.36.167.47:443
Source: Malware configuration extractor	IPs: 188.40.48.93:4664
Source: Malware configuration extractor	IPs: 162.241.33.132:9217
Source: Malware configuration extractor	IPs: 217.160.5.104:593

Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: GIGASNET-ASUS GIGASNET-ASUS

Source: Joe Sandbox View	IP Address: 162.241.33.132 162.241.33.132
Source: Joe Sandbox View	IP Address: 104.36.167.47 104.36.167.47

Source: Amcache.hve.12.dr

String found in binary or memory: http://upx.sf.net

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.6ed80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.6ed80000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Source: hMUh2Mkqyi.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: hMUh2Mkqyi.dll

Binary or memory string: OriginalFilenameHen.dllD vs hMUh2Mkqyi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740

Source: C:\Windows\System32\loaddll32.exe

Section loaded: lz32.dll

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED90730
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED99370
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8A4E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED81494
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED9143C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED88428

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED92234 NtDelayExecution,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED92820 NtAllocateVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6ED8BB44 NtClose,

Source: C:\Windows\System32\loaddll32.exe

Process Stats: CPU usage > 98%

Source: hMUh2Mkqyi.dll	Virustotal: Detection: 64%
Source: hMUh2Mkqyi.dll	ReversingLabs: Detection: 67%

Source: hMUh2Mkqyi.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3980
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4884

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56A.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winDLL@9/10@0/4

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: hMUh2Mkqyi.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: hMUh2Mkqyi.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: oleaut32.pdb! source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.318527592.00000000049C5000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.321398387.000000000536D000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb9 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WinTypes.pdbd source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wininet.pdb: source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ntdsapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: nCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000F.00000002.346110592.0000000000F42000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb" source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb' source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb# source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb3 source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: ntmarta.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb- source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbm source: WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbe source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb, source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: mpr.pdbf source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.350582062.000000004B280000.00000004.00000001.sdmp
Source:	Binary string: WINMMBASE.pdbn source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb/ source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb0 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb6 source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: esent.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: pdh.pdb source: WerFault.exe, 0000000C.00000003.325584158.0000000005041000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb? source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp
Source:	Binary string: ffty.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp, hMUh2Mkqyi.dll
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331365387.0000000005865000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331261588.0000000005862000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.325529839.0000000005030000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331350069.0000000005860000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: CoreUIComponents.pdb_ source: WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp
Source:	Binary string: lz32.pdb source: WerFault.exe, 0000000C.00000003.325553878.0000000005036000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331286786.0000000005868000.00000004.00000040.sdmp, WerFault.exe, 0000000F.00000003.331372420.0000000005868000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.325504064.0000000004E51000.00000004.00000001.sdmp, WerFault.exe, 0000000F.00000003.331170568.0000000005891000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED8F6A8 push esi; mov dword ptr [esp], 00000000h

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\Windows\System32\loaddll32.exe

Section loaded: OutputDebugStringW count: 957

Source: C:\Windows\System32\loaddll32.exe

Window / User API: threadDelayed 957

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED90730 GetTokenInformation,GetSystemInfo,GetTokenInformation,

Source: Amcache.hve.12.dr	Binary or memory string: VMware
Source: Amcache.hve.12.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.12.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.12.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.12.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: WerFault.exe, 0000000C.00000002.349941200.00000000049C0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.12.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.12.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.12.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.12.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: WerFault.exe, 0000000C.00000003.345578429.00000000049C6000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.12.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED86D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6ED93138 RtlAddVectoredExceptionHandler,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1

Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.624963934.0000000001290000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.313950124.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000000.316555355.0000000002CB0000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.312651785.0000000003130000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000000.309615939.0000000003130000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\System32\loaddll32.exe

Source: Amcache.hve.12.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection12	Virtualization/Sandbox Evasion1	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery13	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
hMUh2Mkqyi.dll	64%	Virustotal		Browse
hMUh2Mkqyi.dll	67%	ReversingLabs	Win32.Infostealer.Dridex
hMUh2Mkqyi.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.0.rundll32.exe.540000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.6ed80000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.2.rundll32.exe.a40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.rundll32.exe.540000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
2.0.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
0.2.loaddll32.exe.ac0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.rundll32.exe.540000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.a40000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
0.2.loaddll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.6ed80000.2.unpack	100%	Avira	HEUR/AGEN.1144420	Download File
3.0.rundll32.exe.a40000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.rundll32.exe.6ed80000.5.unpack	100%	Avira	HEUR/AGEN.1144420	Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.12.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.33.132	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
104.36.167.47	unknown	United States	27640	GIGASNET-ASUS	true
217.160.5.104	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
188.40.48.93	unknown	Germany	24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	545441
Start date:	26.12.2021
Start time:	17:17:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	hMUh2Mkqyi.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winDLL@9/10@0/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.4% (good quality ratio 51.5%) Quality average: 78% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Sleeps bigger than 120000ms are automatically reduced to 1000ms Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.42.73.29 Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_38e29c13fccc57cc8ef8dd241186e366303ea06f_82810a17_176e2544\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9656747716480318
Encrypted:	false
SSDEEP:	192:db/iT0oXPCHBUZMX4jed+1U/u7sZS274ItWc:dziNXSBUZMX4jeD/u7sZX4ItWc
MD5:	55669D8210478B4EA8323FF6EB534C13
SHA1:	7BCB3FCBA3249AC0664BE549FD2432E9B5086AAB
SHA-256:	CD49E5A8B39323E717F3AFB244C81F8721E8678ED49CB835D80B664855E49BE7
SHA-512:	D215A9C5F663D7E9738D195985E7DFB90145B665803B6E3778748970866D22D0135D159CFD52CE203B4F3008A51406584D397FE7B62C7E64481B7A2FE1DA5242
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.5.1.8.7.3.2.4.9.3.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.8.5.0.4.1.5.2.9.4.3.5.5.8.7.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.4.b.d.f.7.d.c.-.e.b.3.f.-.4.c.2.7.-.8.9.2.3.-.c.0.f.9.e.9.3.d.f.0.2.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.c.4.9.0.b.6.e.-.f.b.a.8.-.4.f.5.2.-.b.1.6.5.-.2.7.8.b.6.6.c.0.2.8.8.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.1.4.-.0.0.0.1.-.0.0.1.6.-.8.1.2.5.-.2.2.9.3.b.f.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_ea735312adf69f22b427e19aa51f4ce6a1d_82810a17_171a2091\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9996355450018282
Encrypted:	false
SSDEEP:	192:Csiq0oXBHVzOMjed+18/u7sZS274It7c:Csi8XRVzOMjez/u7sZX4It7c
MD5:	216CC294D0F05DB284EF1FFBE92D55B6
SHA1:	3717F28673DF0F8F98B5A560A59AB4D675A67F54
SHA-256:	1DB84B869558BE37C209AAA1F2FBBC26C0E355E5F715BA8F53E7E9AF03D593C1
SHA-512:	CECED3C45916CF7C3F0F575A4F7F52A0B5F5A591596746F17477F3F4F141010E2D5BED408E672EB27D7F1AC92F5EF31145FECA4B900214C3C9D66597357B04FF
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.5.0.4.1.5.2.0.2.8.0.6.4.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.a.2.0.7.b.2.8.-.4.5.d.f.-.4.2.9.6.-.8.d.8.3.-.6.4.d.d.5.b.c.4.3.a.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.7.e.4.b.9.1.-.0.1.8.1.-.4.a.2.d.-.a.e.9.e.-.8.a.d.6.7.f.2.d.e.7.3.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.8.c.-.0.0.0.1.-.0.0.1.6.-.3.9.2.2.-.1.f.9.3.b.f.f.a.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.!.1.0.3.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1855.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4731
Entropy (8bit):	4.446756882022546
Encrypted:	false
SSDEEP:	48:cvIwSD8zs58JgtWI9+wWSC8Bh8fm8M4JCdssBb7FW7+q8vjssBb04SrS8d:uITf4JJSNMJe27KriDW8d
MD5:	0F081340957DBDE7A6808F4A861E1D20
SHA1:	960A9C5F321005769B3DE1C265B9EDBF18985E37
SHA-256:	478ACB3B3B003ED17F8A5F7E27A57ACD1FC82AAF2123DAE0B77A5F857778D7D7
SHA-512:	90890CC1B6926911C52EB0EF4C9509A6AC0F9EBE3FB9EB02CC7900F85EE9BD6E3F5AABF6F0D86CBC1085527A9C69D7DBD5E0AC1B08FA293B4D14B687888E4472
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315349" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER347.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.463217480064392
Encrypted:	false
SSDEEP:	48:cvIwSD8zs58JgtWI9+wWSC8B+8fm8M4JCdssBbDFh+q8/NBfnr4SrS9d:uITf4JJSNtJeRO1DW9d
MD5:	325FE2F0F50A9BAF96A6860820CD3839
SHA1:	A15025F2DF4A768FA5E6F77E89644130CC2E1BDA
SHA-256:	28A9ACA89DC97F41244D4C6F850164F12D9C2923DF7A46F5FCB8A3C589656AD1
SHA-512:	A5F958EB415118A695F50090121EC7D52C7102D5CA64341BD9A6DCDC160D5D08B25C6405BFF7A36AA765CFA1BA5890B0250E69460311CEF357F65CD1FE1557B5
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1315349" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1C.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8350
Entropy (8bit):	3.6881137390764036
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNi3a626Y7d68mWGgmf8ZSxCpBo89b/Psfq1m:RrlsNiK626YR6Vgmf8ZSu/0fR
MD5:	259806BFC7BE7B1D29FDB76EF7BDC1F9
SHA1:	55370FC1A49B9497FB3DF0837CAC4BCFF57C4D92
SHA-256:	ED1613B97A23789927B47EB97F975FBCFA6B933F222552EC79B57275C02C383E
SHA-512:	93380DAAABFA41FE47A882AF91334843510863AC3F6441B6110A0CEE45A01E295802923B9AC583DE42767E89D5E77EE825702E864941CEB4A190E096B1ACF1FA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.9.8.0.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF56A.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Dec 27 01:18:40 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	46842
Entropy (8bit):	2.123772277205567
Encrypted:	false
SSDEEP:	384:dfMdu9JX5Lbi4ynchkWuF9QNHMdBWO+T:rJXVbCnMXurANrT
MD5:	638DAF866B7BCE9C14131A08B8986E6A
SHA1:	5E2FD9A1BB8B463A4FD5C20F2A64F4DB48A9FF5F
SHA-256:	F24C321D64DBFCA9FD2D8E2E53823D520661012EF094652B9F99CF19E4F2D7F3
SHA-512:	9D3F93AE26F6837B9E847D56081B9EB2584198C7AEE3943E5E5EE43F35DEC3339C03878449D9E061E6E48BB8430105BB2BE3525B1787C6DDA4D390884B971016
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......p..a........................`................1..........T.......8...........T...........p................................................................................................U...........B....... ......GenuineIntelW...........T...........B..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB75.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Dec 27 01:18:43 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	57898
Entropy (8bit):	1.9914877836784879
Encrypted:	false
SSDEEP:	192:VKdSLINMndkyhcr1+O5SkbUguD1WJzEuGH3pP4V2+TXvrr0nMlK:Na75LbUvhWthk3pP4U+D0M0
MD5:	5E80024C1D5EB0610E1C396FC9F80912
SHA1:	CCEC7E14A97CA0642472DDE29CF7198BB6A08D18
SHA-256:	F2FE4037BD3FAAC7EA5A9A562A8FD5BE1153D95AFA767AB57BD803CECB063655
SHA-512:	543E5AB651445F161EDC4DDAA15773651179A5989974C029CADD1A8A2F837610AE7673482CE84D1EBAFCF2CBC3BDE4D2B8769D21B526BB63FC0C0CE5801BB3B3
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......s..a........................\|...........$...T ......4....7..........`.......8...........T............"..B...........x ..........d"...................................................................U...........B......."......GenuineIntelW...........T...........B..a.............................0..=...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFBB.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.694252190090564
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNitf6X6YDc6GVgmfTwDSKCprG89bgusfMAm:RrlsNiV6X6YY6GVgmfTUSdgtfq
MD5:	DBA84585E8788BF8F91320DEDF86F303
SHA1:	92ECFFC1FEFE51B5FF0A801FF378592D7AF2B787
SHA-256:	454322977292BA82AD6DA1B0A463E3C92D11C428C388D23DB837602E67EA7D35
SHA-512:	48D44C71B08FA567D0840EB4212071AADD0DED3FF9E80ABF934E7F7411E91F9128375CFD9D6C8F9FA01850E9F33B2D338CA4F25B5AC2573070EE489ED7213E6D
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.8.4.<./.P.i.d.>.......

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.268800541773365
Encrypted:	false
SSDEEP:	12288:Om5W8LFz73jvcwQXhs89xeGH3nnNjHmIqF9TVpmWw9kHa4pE3wD3syl9:z5W8LFz73jvcwQXbc+89
MD5:	90EDA683473E94CDB547C9E29A6704FD
SHA1:	C684B1720DC7B4CE61FF7D132AF1003675232B83
SHA-256:	667FB919C79920BA6E051C6C429F35A9E5AAD14C345B1FB6CFD983602B91CA16
SHA-512:	13855B217E8E3C8008CBD0A01593F61131020E4A3AE3D0A129BE21B09C042832E89C011693018558DD8B6846A45DC9BD3B581F4BA921CF427AD75992B817E154
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn.J...................................................................................................................................................................................................................................................................................................................................................N.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	24576
Entropy (8bit):	3.8421573356677157
Encrypted:	false
SSDEEP:	384:zUe59ZrdLdXX5vQp8XXLnxOf2oSPmxwpz5GjZmGuoDTTe25N5CAR1R:QwHrbXXepigf2oJxwptWmGu2TeyN53R1
MD5:	BC22BD8B89B50F6EDC15F85EDBC508F6
SHA1:	758DD39A69CA510B31E84E49C70D7DE4E7686518
SHA-256:	22D1EC65911BCAFE90317F4F1BCC754B211B66B94BE635F0ECDDBC81E3EC54C9
SHA-512:	4E1625E87B039B070DAFFD13CBD22012BE375201673472C48CBA1606B9CA7DC94A0FB0C52C1A9C0CC8111E7864263C0EF5C6777F50958E9B5503EA39AF649966
Malicious:	false
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn.J...................................................................................................................................................................................................................................................................................................................................................N.HvLE.^......P........................X............................. ..hbin................p.\..,..........nk,..BM.........X........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk ..BM......... ...........P............... .......Z.......................Root........lf......Root....nk ..BM......................}.............. ..............................DeviceCensus.......................vk..................WritePermissionsCheck...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.270377398586344
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hMUh2Mkqyi.dll
File size:	536576
MD5:	8337dd22aa86bc357f8bc573441a97c7
SHA1:	6dc2600455a42651c95c3b612406dabd1182bfee
SHA256:	0341b7e0b66e27bee166ba1fd9fad700d85e58a257bbfed1b60a662d97fc1617
SHA512:	6a2572851e1ef774c35bf733455db6450f0c668d907f6617363037cb92277a022878c6fe7e652d035ed08f75f60c4a6463508a5feb7afb9a866c28d13577748c
SSDEEP:	6144:6KMImhktm7mnmvetmzK/kxwv4Zm7mREqZzdazdULd54f3X0kdVtL8faGAPlX:69hXAg5aX0CL8fI
File Content Preview:	MZ......................@...................................P......E;...;...;....Xl.....................2.4.^....uh.{...6.F......Xl.....F.z..............u..........z.......................@...8.{.G...;.......Rich;..........................................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10005a10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61B705D1 [Mon Dec 13 08:35:29 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	e9192d34e4c9dcdf739aaa1d74025eb2

Entrypoint Preview

Instruction
mov edx, 00000003h
cmpps xmm1, xmm0, 02h
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
add eax, 0Ch
cmp edx, 03h
je 00007F5AF0AB2D82h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push edi
push ebx
push esi
and esp, FFFFFFF8h
sub esp, 000000A0h
mov eax, dword ptr [ebp+08h]
mov ecx, 006B34C2h
mov edx, dword ptr [esp+7Ch]
mov dword ptr [esp+7Ch], 3CDA3086h
mov dword ptr [esp+00000094h], 00000000h
mov dword ptr [esp+00000090h], 006C4587h
mov byte ptr [esp+7Ah], FFFFFFBDh
mov dword ptr [esp+74h], 629729F9h
mov byte ptr [esp+65h], FFFFFFF1h
mov dword ptr [esp+38h], 694CC273h
mov esi, dword ptr [esp+00000094h]
mov edi, dword ptr [esp+00000090h]
mov ebx, edi
add ebx, 171E5389h
mov dword ptr [esp+30h], eax
mov eax, esi
adc eax, 00000000h
mov dword ptr [esp+48h], ebx
mov dword ptr [esp+4Ch], eax
mov dword ptr [esp+2Ch], edi
mov dword ptr [esp+28h], ecx
mov dword ptr [esp+24h], edx
mov dword ptr [esp+20h], esi
call 00007F5AF0AB6786h
mov ecx, 4C276534h
mov edx, dword ptr [esp+2Ch]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x780d0	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x781b0	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x82000	0x2f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x83000	0x1214	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x90f0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0xe8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7a16	0x8000	False	0.362518310547	data	4.63110019551	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0x6fb69	0x70000	False	0.311176845006	data	7.37787775173	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x79000	0x80f4	0x7000	False	0.295828683036	data	6.02916609898	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x82000	0x2f0	0x1000	False	0.090087890625	data	0.784979301457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x83000	0x1d46	0x2000	False	0.287475585938	data	4.27724948186	IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x82060	0x290	MS Windows COFF PA-RISC object file	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileW, GetProcessVersion, GetModuleFileNameW, CloseHandle, VirtualAllocEx, DeleteTimerQueue, InitAtomTable
msvcrt.dll	wcscoll
SETUPAPI.dll	SetupDiOpenDeviceInterfaceW
WININET.dll	InternetReadFile
RPCRT4.dll	RpcMgmtSetCancelTimeout, NdrGetUserMarshalInfo
LZ32.dll	LZCopy
USER32.dll	BlockInput, TranslateMessage, FillRect, GetWindowTextA, DefMDIChildProcW, GetWindowContextHelpId, IsWinEventHookInstalled, GetClassNameA
NTDSAPI.dll	DsGetDomainControllerInfoW
IPHLPAPI.DLL	GetIpAddrTable
WS2_32.dll	WSACleanup, inet_addr
IMM32.dll	ImmGetCandidateListW
ADVAPI32.dll	CreateRestrictedToken, CryptGenKey, CryptAcquireContextW, RegCloseKey, CryptContextAddRef
GDI32.dll	GetViewportOrgEx, SetWindowOrgEx
pdh.dll	PdhAddCounterW
ole32.dll	CoCreateInstanceEx, CoGetObjectContext, StringFromGUID2
WINMM.dll	waveOutGetPitch
SHLWAPI.dll	AssocGetPerceivedType
ESENT.dll	JetInit

Exports

Name	Ordinal	Address
Wgpomsdeeomtunmdrt	1	0x10078125

Version Infos

Description	Data
OriginalFilename	Hen.dll
FileDescription	Oracle Call Interface
FileVersion	7.0.2.1.0
Legal Copyright	Copyright Oracle Corporation 1979, 2001. All rights reserved.
CompanyName	Oracle Corporation
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 1132 Parent PID: 2172

General

Start time:	17:17:53
Start date:	26/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll"
Imagebase:	0xed0000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000000.00000002.627740230.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	moderate

Analysis Process: cmd.exe PID: 4756 Parent PID: 1132

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 3980 Parent PID: 1132

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\hMUh2Mkqyi.dll,Wgpomsdeeomtunmdrt
Imagebase:	0xa90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.314520962.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000002.00000000.317769975.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 4884 Parent PID: 4756

General

Start time:	17:17:54
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\hMUh2Mkqyi.dll",#1
Imagebase:	0xa90000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.351419736.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.309940939.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000000.313453262.000000006ED81000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exe PID: 5740 Parent PID: 4884

General

Start time:	17:18:35
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4884 -s 740
Imagebase:	0x1280000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exe PID: 5656 Parent PID: 3980

General

Start time:	17:18:37
Start date:	26/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 892
Imagebase:	0x1280000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report hMUh2Mkqyi.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 1132 Parent PID: 2172

General

Analysis Process: cmd.exe PID: 4756 Parent PID: 1132