Windows Analysis Report
OCVOXxB3d1.dll

Overview

General Information

Sample Name:	OCVOXxB3d1.dll
Analysis ID:	694555
MD5:	6691e824d3f1dfe97061b18e4b0ae2c6
SHA1:	19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256:	2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
Tags:	dll
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Found Tor onion address

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OCVOXxB3d1.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%	Perma Link
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%	Perma Link
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Antivirus detection for URL or domain

Source: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: OCVOXxB3d1.dll

Joe Sandbox ML: detected

Uses 32bit PE files

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Networking

Found Tor onion address

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: OCVOXxB3d1.dll	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://sj.ms/register.php
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://psi-im.org/download/
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Yara signature match

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Source: OCVOXxB3d1.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.rans.evad.winDLL@10/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE65 push es; retf 006Fh	2_2_0359BE66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F8E5 push es; retf 006Fh	2_2_0359F8E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE9D push es; retf 006Fh	2_2_0359BE9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_035A3B89 push es; retf 006Fh	2_2_035A3B96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F28D push es; retf 006Fh	2_2_0359F28E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359CD28 push eax; ret	2_2_0359CE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359DC28 push eax; ret	2_2_0359DC29

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_76b43c6d9c1a2a81832137409fd652e3d2404ae8_7cac0383_17015320\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	95ACD9DF347422031C670B7066AC74BA	10525B285C7BDF86CD78FD174E3DE54C8D909162	331A2996DA6529167C785EB044F4077E35028A54F9BB9FF1116D9B0FEA6CE343
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16914f67\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	0E43BD8D941E00246C3F93C725F58C00	103477A1BB721B5F45C1B9AAE92D3C5004DF8740	C424147059729E531C6B3C3FCD54A7EF48787A3E8F14E763FFC1EA8D337B8E54
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16bd4e9c\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	783CD9979B465BD56A312A81AF23779A	29B7032B54142465F189F1AEE7748710FF5EBFB5	3807EFA10516AB62401122798BBBD67B23AF952ABFEC4ABA8E583557C2237FEC
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type	1688DFDDC1A7CFFD64ABAE1D9FDF5B4B	B829431D220B16F3C17A2535A380A8B65624A314	6B62B0BBDB73F05CACAE57352DB90055E6B0F94D72824FCAFD8B578545FB72F5
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.dmp	Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type	88AD55E140DCF676E1F10C35D308EEFA	79BC019333884EF72AC9BC04A8F692EC808C806A	B98701697E90C5116F4588830C0A94BAE6C702982CF90A03F14E85715F035BFF
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4507.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Aug 31 21:47:17 2022, 0x1205a4 type	E7CC47358ED5F64B03295BD8DB88DFCB	2BF9AEDCC11C1F2724D7BDAF396546B415C05736	5BC1E47342D3F3553F48F8C96ADFF79E14B22903D4D73EA625676F263B854E22
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4575.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	6F9B680C0E9FD815034863A19A09F0CA	EF8AA76D4DFEBBA9FF3340A0D9579F435D130B91	BA7DD8511B31E67468312420ABCB7A5D438566594B9ADD94D5271171F6EC00A4
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4640.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	5BAF0E9F6A37EB6F07C4CBBD6EDED2F3	1F425F18A1ECF3DA4463BF7100F3FDEF47280CCA	DAFE41118C94B84086C07FFD42C1FDB50B94CC231AE8E7BC1211192F1E939BD6
C:\ProgramData\Microsoft\Windows\WER\Temp\WER473B.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	273FA6851D98B791A1CECC9313B2915A	E037D48FD99464850F5A9AD3FA478DE644EC3B9A	BB7E6151582D13A2001C87D7F303C17CABFDB3C07066103E77530C6C13940DDB
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4806.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	28FCD77204FC00608F4BFF4357A62849	72FBF7B36FF9735BC7019AACC2C724A548DD8EEE	33A0DBABCEC16311ADF77B4013428E86D9D46C673D5E1BA78B9A36616B6C2EF1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER495D.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	1A5328611B6731DD8F1FEDE0131B63FC	E8BD88E0C049147C34D40408BFA6BF7E285F4456	DDC2E94C8077F58151A79623999842212BB140D0E10A54EF56CDC09E5C757CCD
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B81.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	509A64232BA25A6C9DF94BEE4CB1AFDD	69FC5B75F0A1704818E8A27CDA03D6B98EB8EA35	3C9F901ADA94016F0E9C44F1C85F5E3489567F38DFA0FF9D354B16B5D0FD11B5

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OCVOXxB3d1.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%	Perma Link
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%	Perma Link
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Antivirus detection for URL or domain

Source: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: OCVOXxB3d1.dll

Joe Sandbox ML: detected

Uses 32bit PE files

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Networking

Found Tor onion address

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: OCVOXxB3d1.dll	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://sj.ms/register.php
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://psi-im.org/download/
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Uses 32bit PE files

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Yara signature match

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Source: OCVOXxB3d1.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1	Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.rans.evad.winDLL@10/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE65 push es; retf 006Fh	2_2_0359BE66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F8E5 push es; retf 006Fh	2_2_0359F8E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE9D push es; retf 006Fh	2_2_0359BE9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_035A3B89 push es; retf 006Fh	2_2_035A3B96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F28D push es; retf 006Fh	2_2_0359F28E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359CD28 push eax; ret	2_2_0359CE6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359DC28 push eax; ret	2_2_0359DC29

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1

Jump to behavior

ID:	694555
Product:	CloudBasic
Start time:	23:46:11
Start date:	31.08.2022
Sample:	OCVOXxB3d1.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	6691e824d3f1dfe97061b18e4b0ae2c6
SHA1:	19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256:	2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Windows Analysis Report
OCVOXxB3d1.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report OCVOXxB3d1.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
OCVOXxB3d1.dll