Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OCVOXxB3d1.dll

Overview

General Information

Sample Name:OCVOXxB3d1.dll
Analysis ID:694555
MD5:6691e824d3f1dfe97061b18e4b0ae2c6
SHA1:19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256:2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
Tags:dll
Infos:

Detection

Gandcrab, ReflectiveLoader
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Gandcrab
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Yara detected ReflectiveLoader
Found Tor onion address
Machine Learning detection for sample
Uses 32bit PE files
Yara signature match
One or more processes crash
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • loaddll32.exe (PID: 5964 cmdline: loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 1312 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1236 cmdline: rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 1308 cmdline: rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 5976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
OCVOXxB3d1.dllReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
  • 0x11832:$x1: ReflectiveLoader
OCVOXxB3d1.dllSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
  • 0x10ff6:$: DECRYPT.txt
  • 0x11048:$: DECRYPT.txt
OCVOXxB3d1.dllJoeSecurity_GandcrabYara detected GandcrabJoe Security
    OCVOXxB3d1.dllJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
      OCVOXxB3d1.dllINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
      • 0x11831:$s1: _ReflectiveLoader@
      • 0x11832:$s2: ReflectiveLoader@
      Click to see the 2 entries
      SourceRuleDescriptionAuthorStrings
      00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
        00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
          00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
            00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
              00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmpJoeSecurity_GandcrabYara detected GandcrabJoe Security
                Click to see the 25 entries
                SourceRuleDescriptionAuthorStrings
                2.0.rundll32.exe.707a0000.1.unpackReflectiveLoaderDetects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommendedFlorian Roth
                • 0x10c32:$x1: ReflectiveLoader
                2.0.rundll32.exe.707a0000.1.unpackSUSP_RANSOMWARE_Indicator_Jul20Detects ransomware indicatorFlorian Roth
                • 0x103f6:$: DECRYPT.txt
                • 0x10448:$: DECRYPT.txt
                2.0.rundll32.exe.707a0000.1.unpackJoeSecurity_GandcrabYara detected GandcrabJoe Security
                  2.0.rundll32.exe.707a0000.1.unpackJoeSecurity_ReflectiveLoaderYara detected ReflectiveLoaderJoe Security
                    2.0.rundll32.exe.707a0000.1.unpackINDICATOR_SUSPICIOUS_ReflectiveLoaderdetects Reflective DLL injection artifactsditekSHen
                    • 0x10c31:$s1: _ReflectiveLoader@
                    • 0x10c32:$s2: ReflectiveLoader@
                    Click to see the 37 entries
                    No Sigma rule has matched
                    No Snort rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: OCVOXxB3d1.dllAvira: detected
                    Source: OCVOXxB3d1.dllVirustotal: Detection: 78%Perma Link
                    Source: OCVOXxB3d1.dllMetadefender: Detection: 62%Perma Link
                    Source: OCVOXxB3d1.dllReversingLabs: Detection: 96%
                    Source: http://gandcrab2pie73et.onion/cb44cde56c4e43dcAvira URL Cloud: Label: malware
                    Source: OCVOXxB3d1.dllJoe Sandbox ML: detected
                    Source: OCVOXxB3d1.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                    Source: OCVOXxB3d1.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

                    Networking

                    barindex
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
                    Source: rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
                    Source: rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmpString found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
                    Source: OCVOXxB3d1.dllString found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dllString found in binary or memory: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dllString found in binary or memory: http://sj.ms/register.php
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dllString found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dllString found in binary or memory: https://psi-im.org/download/
                    Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dllString found in binary or memory: https://www.torproject.org/

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Source: Yara matchFile source: OCVOXxB3d1.dll, type: SAMPLE
                    Source: Yara matchFile source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

                    System Summary

                    barindex
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: detects Reflective DLL injection artifacts Author: ditekSHen
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab Payload Author: kevoreilly
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
                    Source: OCVOXxB3d1.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: OCVOXxB3d1.dll, type: SAMPLEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
                    Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPEMatched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
                    Source: OCVOXxB3d1.dllVirustotal: Detection: 78%
                    Source: OCVOXxB3d1.dllMetadefender: Detection: 62%
                    Source: OCVOXxB3d1.dllReversingLabs: Detection: 96%
                    Source: OCVOXxB3d1.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
                    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1Jump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1Jump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236
                    Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmpJump to behavior
                    Source: classification engineClassification label: mal96.rans.evad.winDLL@10/12@0/0
                    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                    Source: OCVOXxB3d1.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: OCVOXxB3d1.dll, type: SAMPLE
                    Source: Yara matchFile source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359BE65 push es; retf 006Fh2_2_0359BE66
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359F8E5 push es; retf 006Fh2_2_0359F8E6
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359BE9D push es; retf 006Fh2_2_0359BE9E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_035A3B89 push es; retf 006Fh2_2_035A3B96
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359F28D push es; retf 006Fh2_2_0359F28E
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359CD28 push eax; ret 2_2_0359CE6D
                    Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0359DC28 push eax; ret 2_2_0359DC29
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1Jump to behavior
                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management InstrumentationPath Interception11
                    Process Injection
                    1
                    Virtualization/Sandbox Evasion
                    OS Credential Dumping1
                    Security Software Discovery
                    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
                    Proxy
                    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                    Rundll32
                    LSASS Memory1
                    Virtualization/Sandbox Evasion
                    Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)11
                    Process Injection
                    Security Account Manager1
                    System Information Discovery
                    SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                    Obfuscated Files or Information
                    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java