Windows Analysis Report
WOTZc2nssO.exe

Overview

General Information

Sample Name: WOTZc2nssO.exe (renamed file extension from exe to dll)
Analysis ID: 606301
MD5: ba33bff302fdecf939ed96296d93593f
SHA1: f422c218c50549a380234e6c57231e95a5774371
SHA256: 55f53b1d9dac903d695b48f52894117a87acd81c1c10fc6eafb6dad5d6bc28b4
Tags: dllDridex
Infos:

Detection

Dridex
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: WOTZc2nssO.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: WOTZc2nssO.dll Virustotal: Detection: 41% Perma Link
Source: WOTZc2nssO.dll ReversingLabs: Detection: 71%
Uses 32bit PE files
Source: WOTZc2nssO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Source: WOTZc2nssO.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.234826330.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: WOTZc2nssO.dll, type: SAMPLE
Uses 32bit PE files
Source: WOTZc2nssO.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
Sample file is different than original file name gathered from version info
Source: WOTZc2nssO.dll Binary or memory string: OriginalFilenameTESTAPP.EXE0 vs WOTZc2nssO.dll
PE file contains strange resources
Source: WOTZc2nssO.dll Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WOTZc2nssO.dll Virustotal: Detection: 41%
Source: WOTZc2nssO.dll ReversingLabs: Detection: 71%
Source: WOTZc2nssO.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal68.troj.winDLL@5/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1 Jump to behavior
Source: WOTZc2nssO.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: WOTZc2nssO.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1 Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 606301 Sample: WOTZc2nssO.exe Startdate: 09/04/2022 Architecture: WINDOWS Score: 68 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Dridex unpacked file 2->17 19 Sigma detected: Suspicious Call by Ordinal 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       
No contacted IP infos