Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WOTZc2nssO.exe

Overview

General Information

Sample Name:WOTZc2nssO.exe (renamed file extension from exe to dll)
Analysis ID:606301
MD5:ba33bff302fdecf939ed96296d93593f
SHA1:f422c218c50549a380234e6c57231e95a5774371
SHA256:55f53b1d9dac903d695b48f52894117a87acd81c1c10fc6eafb6dad5d6bc28b4
Tags:dllDridex
Infos:

Detection

Dridex
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)
Checks if the current process is being debugged

Classification

  • System is w10x64
  • loaddll32.exe (PID: 3260 cmdline: loaddll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 5784 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1356 cmdline: rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
WOTZc2nssO.dllJoeSecurity_Dridex_1Yara detected Dridex unpacked fileJoe Security

    System Summary

    barindex
    Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5784, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1, ProcessId: 1356, ProcessName: rundll32.exe
    No Snort rule has matched

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: WOTZc2nssO.dllAvira: detected
    Source: WOTZc2nssO.dllVirustotal: Detection: 41%Perma Link
    Source: WOTZc2nssO.dllReversingLabs: Detection: 71%
    Source: WOTZc2nssO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
    Source: WOTZc2nssO.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: loaddll32.exe, 00000000.00000002.234826330.0000000000ACB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    E-Banking Fraud

    barindex
    Source: Yara matchFile source: WOTZc2nssO.dll, type: SAMPLE
    Source: WOTZc2nssO.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, RELOCS_STRIPPED
    Source: WOTZc2nssO.dllBinary or memory string: OriginalFilenameTESTAPP.EXE0 vs WOTZc2nssO.dll
    Source: WOTZc2nssO.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: WOTZc2nssO.dllVirustotal: Detection: 41%
    Source: WOTZc2nssO.dllReversingLabs: Detection: 71%
    Source: WOTZc2nssO.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal68.troj.winDLL@5/0@0/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1Jump to behavior
    Source: WOTZc2nssO.dllStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: WOTZc2nssO.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\WOTZc2nssO.dll",#1Jump to behavior
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath Interception11
    Process Injection
    1
    Virtualization/Sandbox Evasion
    1
    Input Capture
    1
    Security Software Discovery
    Remote Services1
    Input Capture
    Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Rundll32
    LSASS Memory1
    Virtualization/Sandbox Evasion
    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
    Process Injection
    Security Account Manager1
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 606301 Sample: WOTZc2nssO.exe Startdate: 09/04/2022 Architecture: WINDOWS Score: 68 13 Antivirus / Scanner detection for submitted sample 2->13 15 Multi AV Scanner detection for submitted file 2->15 17 Yara detected Dridex unpacked file 2->17 19 Sigma detected: Suspicious Call by Ordinal 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.