Windows Analysis Report
OCVOXxB3d1.dll

Overview

General Information

Sample Name: OCVOXxB3d1.dll
Analysis ID: 694555
MD5: 6691e824d3f1dfe97061b18e4b0ae2c6
SHA1: 19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256: 2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
Tags: dll
Infos:

Detection

Gandcrab, ReflectiveLoader
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Found Tor onion address
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection

barindex
Source: OCVOXxB3d1.dll Avira: detected
Source: OCVOXxB3d1.dll Virustotal: Detection: 78% Perma Link
Source: OCVOXxB3d1.dll Metadefender: Detection: 62% Perma Link
Source: OCVOXxB3d1.dll ReversingLabs: Detection: 96%
Source: http://gandcrab2pie73et.onion/cb44cde56c4e43dc Avira URL Cloud: Label: malware
Source: OCVOXxB3d1.dll Joe Sandbox ML: detected
Source: OCVOXxB3d1.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: OCVOXxB3d1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Networking

barindex
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: OCVOXxB3d1.dll String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll String found in binary or memory: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll String found in binary or memory: http://sj.ms/register.php
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll String found in binary or memory: https://psi-im.org/download/
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

barindex
Source: Yara match File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

System Summary

barindex
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: Gandcrab Payload Author: kevoreilly
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: OCVOXxB3d1.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: OCVOXxB3d1.dll, type: SAMPLE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Source: OCVOXxB3d1.dll Virustotal: Detection: 78%
Source: OCVOXxB3d1.dll Metadefender: Detection: 62%
Source: OCVOXxB3d1.dll ReversingLabs: Detection: 96%
Source: OCVOXxB3d1.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp Jump to behavior
Source: classification engine Classification label: mal96.rans.evad.winDLL@10/12@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: OCVOXxB3d1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

barindex
Source: Yara match File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359BE65 push es; retf 006Fh 2_2_0359BE66
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359F8E5 push es; retf 006Fh 2_2_0359F8E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359BE9D push es; retf 006Fh 2_2_0359BE9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_035A3B89 push es; retf 006Fh 2_2_035A3B96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359F28D push es; retf 006Fh 2_2_0359F28E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359CD28 push eax; ret 2_2_0359CE6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_0359DC28 push eax; ret 2_2_0359DC29
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 Jump to behavior