Source: 2.2.rundll32.exe.6f270000.2.unpack |
Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.100:443", "188.214.241.242:4664", "93.104.209.107:8116", "5.189.190.214:593"], "RC4 keys": ["S9OYlNFUvY5N1RDSpi8BgH6SgS8gPIcU", "rRgzULsP0KBJ7CcLRdZ7mhoBdNxJNQSrQLI3uRuRJVi7lqosB75laFDkwhMJ8LECg1b8sYjJZr"]} |
Source: knigger.dll |
ReversingLabs: Detection: 69% |
Source: knigger.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: knigger.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: RFFGTEQ.pdb source: loaddll32.exe, 00000000.00000002.353161046.000000006F508000.00000002.00000001.01000000.00000003.sdmp, knigger.dll |
Source: Malware configuration extractor |
IPs: 144.91.122.100:443 |
Source: Malware configuration extractor |
IPs: 188.214.241.242:4664 |
Source: Malware configuration extractor |
IPs: 93.104.209.107:8116 |
Source: Malware configuration extractor |
IPs: 5.189.190.214:593 |
Source: Joe Sandbox View |
ASN Name: BORECOM-INNOVABorecom-InnovaES BORECOM-INNOVABorecom-InnovaES |
Source: Joe Sandbox View |
ASN Name: MNET-ASGermanyDE MNET-ASGermanyDE |
Source: Joe Sandbox View |
IP Address: 188.214.241.242 188.214.241.242 |
Source: Joe Sandbox View |
IP Address: 93.104.209.107 93.104.209.107 |
Source: Amcache.hve.6.dr |
String found in binary or memory: http://upx.sf.net |
Source: rundll32.exe, 00000002.00000000.358373179.000000006F28F000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.kazanfirst.ruDVarFileInfo$ |
Source: Yara match |
File source: 2.0.rundll32.exe.6f270000.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.0.rundll32.exe.6f270000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 2.2.rundll32.exe.6f270000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.370546422.000000006F271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.358345713.000000006F271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000000.357555659.000000006F271000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: 2.0.rundll32.exe.32fc63b.4.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.2.rundll32.exe.11a0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.2.rundll32.exe.11a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.32fc63b.1.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.11a0000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.32fc63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.32fc63b.4.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.2.rundll32.exe.32fc63b.1.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.11a0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.11a0000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.0.rundll32.exe.11a0000.3.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 2.2.rundll32.exe.32fc63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 00000002.00000002.370345630.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 00000002.00000000.358193713.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 00000002.00000000.357246849.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: knigger.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 2.0.rundll32.exe.32fc63b.4.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.2.rundll32.exe.11a0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.2.rundll32.exe.11a0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.32fc63b.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.11a0000.3.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.32fc63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.32fc63b.4.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.2.rundll32.exe.32fc63b.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.11a0000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.11a0000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.0.rundll32.exe.11a0000.3.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 2.2.rundll32.exe.32fc63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 00000002.00000002.370345630.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 00000002.00000000.358193713.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 00000002.00000000.357246849.00000000011A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: knigger.dll |
Binary or memory string: OriginalFilenameNrt.dllD vs knigger.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 700 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F280730 |
2_2_6F280730 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F289370 |
2_2_6F289370 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F278428 |
2_2_6F278428 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F28143C |
2_2_6F28143C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F271494 |
2_2_6F271494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F27A4E8 |
2_2_6F27A4E8 |
Source: knigger.dll |
ReversingLabs: Detection: 69% |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\knigger.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6324 -s 700 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6324 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF4EC.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.winDLL@6/6@0/4 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: knigger.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: knigger.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: RFFGTEQ.pdb source: loaddll32.exe, 00000000.00000002.353161046.000000006F508000.00000002.00000001.01000000.00000003.sdmp, knigger.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F27F6A8 push esi; mov dword ptr [esp], 00000000h |
2_2_6F27F6A9 |
Source: initial sample |
Static PE information: section where entry point is pointing to: .rdata |
Source: C:\Windows\SysWOW64\WerFault.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware-42 35 34 13 2a 07 0a 9c-ee 7f dd c3 60 c7 b9 af |
Source: Amcache.hve.6.dr |
Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.6.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware7,1 |
Source: Amcache.hve.6.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.6.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1x |
Source: Amcache.hve.6.dr |
Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.6.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.6.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F276D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_6F276D0C |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_6F276D0C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 2_2_6F276D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
2_2_6F276D0C |
Source: Amcache.hve.6.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |