Source: 3.2.rundll32.exe.6ed80000.2.unpack |
Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.100:443", "188.214.241.242:4664", "93.104.209.107:8116", "5.189.190.214:593"], "RC4 keys": ["S9OYlNFUvY5N1RDSpi8BgH6SgS8gPIcU", "rRgzULsP0KBJ7CcLRdZ7mhoBdNxJNQSrQLI3uRuRJVi7lqosB75laFDkwhMJ8LECg1b8sYjJZr"]} |
Source: knigger.dll |
Virustotal: Detection: 58% |
Perma Link |
Source: knigger.dll |
ReversingLabs: Detection: 69% |
Source: knigger.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: knigger.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: |
Binary string: RFFGTEQ.pdb source: loaddll32.exe, 00000001.00000002.253591370.000000006F018000.00000002.00000001.01000000.00000003.sdmp, knigger.dll |
Source: Malware configuration extractor |
IPs: 144.91.122.100:443 |
Source: Malware configuration extractor |
IPs: 188.214.241.242:4664 |
Source: Malware configuration extractor |
IPs: 93.104.209.107:8116 |
Source: Malware configuration extractor |
IPs: 5.189.190.214:593 |
Source: Joe Sandbox View |
ASN Name: BORECOM-INNOVABorecom-InnovaES BORECOM-INNOVABorecom-InnovaES |
Source: Joe Sandbox View |
ASN Name: MNET-ASGermanyDE MNET-ASGermanyDE |
Source: Joe Sandbox View |
IP Address: 188.214.241.242 188.214.241.242 |
Source: Joe Sandbox View |
IP Address: 93.104.209.107 93.104.209.107 |
Source: Amcache.hve.12.dr |
String found in binary or memory: http://upx.sf.net |
Source: rundll32.exe, 00000003.00000002.368251430.000000006ED9F000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.kazanfirst.ruDVarFileInfo$ |
Source: Yara match |
File source: 3.2.rundll32.exe.6ed80000.2.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000003.00000002.368122087.000000006ED81000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: 3.2.rundll32.exe.454c63b.1.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 3.2.rundll32.exe.2d40000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 3.2.rundll32.exe.454c63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 3.2.rundll32.exe.2d40000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: 00000003.00000002.368054166.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects unknown DLL Loader Author: ditekSHen |
Source: knigger.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL |
Source: 3.2.rundll32.exe.454c63b.1.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 3.2.rundll32.exe.2d40000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 3.2.rundll32.exe.454c63b.1.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 3.2.rundll32.exe.2d40000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: 00000003.00000002.368054166.0000000002D40000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_DLLLoader author = ditekSHen, description = Detects unknown DLL Loader |
Source: knigger.dll |
Binary or memory string: OriginalFilenameNrt.dllD vs knigger.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED99370 |
3_2_6ED99370 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED90730 |
3_2_6ED90730 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED8A4E8 |
3_2_6ED8A4E8 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED81494 |
3_2_6ED81494 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED9143C |
3_2_6ED9143C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED88428 |
3_2_6ED88428 |
Source: knigger.dll |
Virustotal: Detection: 58% |
Source: knigger.dll |
ReversingLabs: Detection: 69% |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\knigger.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2964 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER79C1.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.winDLL@8/6@0/4 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: knigger.dll |
Static PE information: DYNAMIC_BASE, NX_COMPAT |
Source: knigger.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: RFFGTEQ.pdb source: loaddll32.exe, 00000001.00000002.253591370.000000006F018000.00000002.00000001.01000000.00000003.sdmp, knigger.dll |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED8F6A8 push esi; mov dword ptr [esp], 00000000h |
3_2_6ED8F6A9 |
Source: initial sample |
Static PE information: section where entry point is pointing to: .rdata |
Source: C:\Windows\SysWOW64\WerFault.exe |
Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware |
Source: Amcache.hve.12.dr |
Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: Amcache.hve.12.dr |
Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware Virtual USB Mouse |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware, Inc. |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin |
Source: Amcache.hve.12.dr |
Binary or memory string: Microsoft Hyper-V Generation Counter |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware7,1 |
Source: Amcache.hve.12.dr |
Binary or memory string: NECVMWar VMware SATA CD00 |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware Virtual disk SCSI Disk Device |
Source: Amcache.hve.12.dr |
Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1 |
Source: Amcache.hve.12.dr |
Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom |
Source: Amcache.hve.12.dr |
Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware, Inc.me |
Source: Amcache.hve.12.dr |
Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000 |
Source: Amcache.hve.12.dr |
Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71 |
Source: Amcache.hve.12.dr |
Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000 |
Source: C:\Windows\System32\loaddll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED86D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_6ED86D0C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696 |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\knigger.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 696 |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_6ED86D0C |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 3_2_6ED86D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, |
3_2_6ED86D0C |
Source: Amcache.hve.12.dr |
Binary or memory string: msmpeng.exe |
Source: Amcache.hve.12.dr |
Binary or memory string: c:\program files\windows defender\msmpeng.exe |