Edit tour

Windows Analysis Report
OCVOXxB3d1.dll

Overview

General Information

Sample Name:	OCVOXxB3d1.dll
Analysis ID:	694555
MD5:	6691e824d3f1dfe97061b18e4b0ae2c6
SHA1:	19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256:	2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
Tags:	dll
Infos:

Detection

Gandcrab, ReflectiveLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Gandcrab

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Malicious sample detected (through community Yara rule)

Yara detected ReflectiveLoader

Found Tor onion address

Machine Learning detection for sample

Uses 32bit PE files

Yara signature match

One or more processes crash

Uses code obfuscation techniques (call, push, ret)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5964 cmdline: loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)

cmd.exe (PID: 1312 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1236 cmdline: rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5860 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

rundll32.exe (PID: 1308 cmdline: rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5832 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

WerFault.exe (PID: 5976 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
OCVOXxB3d1.dll	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x11832:$x1: ReflectiveLoader
OCVOXxB3d1.dll	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x10ff6:$: DECRYPT.txt 0x11048:$: DECRYPT.txt
OCVOXxB3d1.dll	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
OCVOXxB3d1.dll	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
OCVOXxB3d1.dll	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x11831:$s1: _ReflectiveLoader@ 0x11832:$s2: ReflectiveLoader@
OCVOXxB3d1.dll	Gandcrab	Gandcrab Payload	kevoreilly	0x10cc8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
OCVOXxB3d1.dll	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x51f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 25 00 C7 44 24 1C 28 05 25 00 C7 44 24 20 44 05 25 00 C7 44 24 24 64 05 25 00 C7 44 24 28 80 05 25 00 C7 44 24 2C 9C 05 25 00 C7 44 24 30 B4 05 25 00 C7 44 24 34 C8 05 25 00 ... 0x7952:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 24 00 8B 1D 30 B1 24 00 85 C0 74 23 68 60 10 25 00 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 24 00 F7 D8 1B C0 40 75 17 ... 0x5f7e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 24 00 8B 35 70 B1 24 00 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x87c0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 24 00 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 25 00 C7 45 B8 AC 14 25 00 C7 45 BC ... 0x4070:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 24 00 6A 40 68 00 30 00 00 68 01 04 00 ...
Click to see the 2 entries

Memory Dumps

Source	Rule	Description	Author
00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: loaddll32.exe PID: 5964	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: loaddll32.exe PID: 5964	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: rundll32.exe PID: 1308	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: rundll32.exe PID: 1308	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Process Memory Space: rundll32.exe PID: 1236	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
Process Memory Space: rundll32.exe PID: 1236	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.rundll32.exe.707a0000.1.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
2.0.rundll32.exe.707a0000.1.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
2.0.rundll32.exe.707a0000.1.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
2.0.rundll32.exe.707a0000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.0.rundll32.exe.707a0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
2.0.rundll32.exe.707a0000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.0.rundll32.exe.707a0000.1.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.loaddll32.exe.707a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
0.0.loaddll32.exe.707a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
0.0.loaddll32.exe.707a0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.loaddll32.exe.707a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.loaddll32.exe.707a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
0.0.loaddll32.exe.707a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.loaddll32.exe.707a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
0.0.loaddll32.exe.707a0000.1.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
0.0.loaddll32.exe.707a0000.1.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
0.0.loaddll32.exe.707a0000.1.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
0.0.loaddll32.exe.707a0000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
0.0.loaddll32.exe.707a0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
0.0.loaddll32.exe.707a0000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
0.0.loaddll32.exe.707a0000.1.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
2.0.rundll32.exe.707a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
2.0.rundll32.exe.707a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
2.0.rundll32.exe.707a0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
2.0.rundll32.exe.707a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
2.0.rundll32.exe.707a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
2.0.rundll32.exe.707a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
2.0.rundll32.exe.707a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
3.0.rundll32.exe.707a0000.0.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
3.0.rundll32.exe.707a0000.0.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
3.0.rundll32.exe.707a0000.0.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
3.0.rundll32.exe.707a0000.0.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.0.rundll32.exe.707a0000.0.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
3.0.rundll32.exe.707a0000.0.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.0.rundll32.exe.707a0000.0.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
3.0.rundll32.exe.707a0000.1.unpack	ReflectiveLoader	Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended	Florian Roth	0x10c32:$x1: ReflectiveLoader
3.0.rundll32.exe.707a0000.1.unpack	SUSP_RANSOMWARE_Indicator_Jul20	Detects ransomware indicator	Florian Roth	0x103f6:$: DECRYPT.txt 0x10448:$: DECRYPT.txt
3.0.rundll32.exe.707a0000.1.unpack	JoeSecurity_Gandcrab	Yara detected Gandcrab	Joe Security
3.0.rundll32.exe.707a0000.1.unpack	JoeSecurity_ReflectiveLoader	Yara detected ReflectiveLoader	Joe Security
3.0.rundll32.exe.707a0000.1.unpack	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen	0x10c31:$s1: _ReflectiveLoader@ 0x10c32:$s2: ReflectiveLoader@
3.0.rundll32.exe.707a0000.1.unpack	Gandcrab	Gandcrab Payload	kevoreilly	0x100c8:$string3: action=result&e_files=%d&e_size=%I64u&e_time=%d&
3.0.rundll32.exe.707a0000.1.unpack	Win32_Ransomware_GandCrab	unknown	ReversingLabs	0x45f3:$search_antivirus_processes_v2: C7 44 24 18 0C 05 9F 60 C7 44 24 1C 28 05 9F 60 C7 44 24 20 44 05 9F 60 C7 44 24 24 64 05 9F 60 C7 44 24 28 80 05 9F 60 C7 44 24 2C 9C 05 9F 60 C7 44 24 30 B4 05 9F 60 C7 44 24 34 C8 05 9F 60 ... 0x6d52:$find_files_v2_1: 6A 00 6A 00 8D 85 80 F5 FF FF 50 6A 00 FF 15 E0 B1 9E 60 8B 1D 30 B1 9E 60 85 C0 74 23 68 60 10 9F 60 8D 85 80 F5 FF FF 50 FF D3 8D 85 80 F5 FF FF 50 56 FF 15 38 B1 9E 60 F7 D8 1B C0 40 75 17 ... 0x537e:$remote_connection_v2_1: 53 89 45 F4 FF 15 C4 B1 9E 60 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 8D 3C 45 00 04 00 00 8D 47 01 50 6A 00 FF D6 6A 40 68 00 30 00 00 68 01 20 03 00 6A 00 8B D8 FF D6 89 45 FC 85 DB 74 0B 8D ... 0x7bc0:$search_antivirus_processes_v4: 55 8B EC 83 EC 4C 53 56 8B 35 70 B1 9E 60 57 6A 04 68 00 30 00 00 68 00 04 00 00 6A 00 FF D6 8B 5D 08 6A 04 68 00 30 00 00 6A 04 6A 00 89 03 C7 45 B4 9C 14 9F 60 C7 45 B8 AC 14 9F 60 C7 45 BC ... 0x3470:$crypt_files_v3: 55 8B EC 81 EC 84 01 00 00 53 56 57 8D 45 DC C7 45 EC 00 00 00 00 50 8D 45 EC C7 45 DC 00 00 00 00 50 6A 00 8B D9 8B CA 6A 00 E8 B1 2F 00 00 8B 35 70 B1 9E 60 6A 40 68 00 30 00 00 68 01 04 00 ...
Click to see the 37 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OCVOXxB3d1.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%	Perma Link
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%	Perma Link
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Antivirus detection for URL or domain

Source: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: OCVOXxB3d1.dll

Joe Sandbox ML: detected

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Networking

Found Tor onion address

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: OCVOXxB3d1.dll	String found in binary or memory: 3. Open link in TOR browser: http://gandcrab2pie73et.onion/cb44cde56c4e43dc

Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://gandcrab2pie73et.onion/cb44cde56c4e43dc
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://sj.ms/register.php
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://psi-im.org/download/
Source: loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands

Yara detected Gandcrab

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab Payload Author: kevoreilly
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab Author: ReversingLabs

Source: OCVOXxB3d1.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: OCVOXxB3d1.dll, type: SAMPLE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, nodeepdive = , score = 2017-07-17, reference = Internal Research, modified = 2021-03-15
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Gandcrab author = kevoreilly, description = Gandcrab Payload, cape_type = Gandcrab Payload
Source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_GandCrab tc_detection_name = GandCrab, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632

Source: OCVOXxB3d1.dll	Virustotal: Detection: 78%
Source: OCVOXxB3d1.dll	Metadefender: Detection: 62%
Source: OCVOXxB3d1.dll	ReversingLabs: Detection: 96%

Source: OCVOXxB3d1.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1308
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5964
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1236

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.rans.evad.winDLL@10/12@0/0

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: OCVOXxB3d1.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH

Data Obfuscation

Yara detected ReflectiveLoader

Source: Yara match	File source: OCVOXxB3d1.dll, type: SAMPLE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.loaddll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.rundll32.exe.707a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5964, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1236, type: MEMORYSTR

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE65 push es; retf 006Fh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F8E5 push es; retf 006Fh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359BE9D push es; retf 006Fh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_035A3B89 push es; retf 006Fh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359F28D push es; retf 006Fh
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359CD28 push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_0359DC28 push eax; ret

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Proxy	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OCVOXxB3d1.dll	78%	Virustotal		Browse
OCVOXxB3d1.dll	63%	Metadefender		Browse
OCVOXxB3d1.dll	96%	ReversingLabs	Win32.Ransomware.GandCrab
OCVOXxB3d1.dll	100%	Avira	HEUR/AGEN.1239798
OCVOXxB3d1.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.0.loaddll32.exe.707a0000.0.unpack	100%	Avira	HEUR/AGEN.1239798	Download File
3.0.rundll32.exe.707a0000.1.unpack	100%	Avira	HEUR/AGEN.1239798	Download File
2.0.rundll32.exe.707a0000.1.unpack	100%	Avira	HEUR/AGEN.1239798	Download File
2.0.rundll32.exe.707a0000.0.unpack	100%	Avira	HEUR/AGEN.1239798	Download File
3.0.rundll32.exe.707a0000.0.unpack	100%	Avira	HEUR/AGEN.1239798	Download File
0.0.loaddll32.exe.707a0000.1.unpack	100%	Avira	HEUR/AGEN.1239798	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://gandcrab2pie73et.onion/cb44cde56c4e43dc	100%	Avira URL Cloud	malware
https://psi-im.org/download/	0%	Virustotal		Browse
https://psi-im.org/download/	0%	Avira URL Cloud	safe
http://sj.ms/register.php	0%	Virustotal		Browse
http://sj.ms/register.php	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.sfu.ca/jabber/Psi_Jabber_PC.pdf	loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	false		high
https://www.torproject.org/	loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	false		high
http://gandcrab2pie73et.onion/cb44cde56c4e43dc	loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	true	Avira URL Cloud: malware	unknown
https://psi-im.org/download/	loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://sj.ms/register.php	loaddll32.exe, 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, rundll32.exe, 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, OCVOXxB3d1.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694555
Start date and time:	2022-08-31 23:46:11 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 33s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	OCVOXxB3d1.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.rans.evad.winDLL@10/12@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, eudb.ris.api.iris.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target rundll32.exe, PID 1308 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_76b43c6d9c1a2a81832137409fd652e3d2404ae8_7cac0383_17015320\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8219435914224157
Encrypted:	false
SSDEEP:	96:6KjO4w+nYyTy9ha67QfHpXIQcQSc6mcEUcw3/s+a+z+HbHgXVG4rmMoVazWbSmfb:bwmnpHsieryjIq/u7sxlS274ItW
MD5:	95ACD9DF347422031C670B7066AC74BA
SHA1:	10525B285C7BDF86CD78FD174E3DE54C8D909162
SHA-256:	331A2996DA6529167C785EB044F4077E35028A54F9BB9FF1116D9B0FEA6CE343
SHA-512:	B294F88B7D4470BC27B513B075DD421D534FED10ED1CE0C37BA7338983E1853C5FCB51925C23501C5FFDF389D3DD1A057A620E4AD7CA73D0FC285281F69454C1
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.5.6.0.3.6.7.1.7.6.0.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.d.c.0.1.3.1.8.-.e.7.8.f.-.4.1.c.c.-.a.3.5.b.-.d.e.1.3.c.3.c.f.3.b.1.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.4.2.f.6.f.9.-.e.5.9.8.-.4.c.9.9.-.8.2.3.7.-.4.c.5.5.6.7.1.f.2.b.a.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.4.c.-.0.0.0.1.-.0.0.1.f.-.9.a.6.1.-.2.1.3.8.8.3.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16914f67\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9059728363114952
Encrypted:	false
SSDEEP:	192:Ni4F0oXvHKvgsv5yjed+s/u7sxlS274ItWc:Ni2XvKvgsv5yjeJ/u7sDX4ItWc
MD5:	0E43BD8D941E00246C3F93C725F58C00
SHA1:	103477A1BB721B5F45C1B9AAE92D3C5004DF8740
SHA-256:	C424147059729E531C6B3C3FCD54A7EF48787A3E8F14E763FFC1EA8D337B8E54
SHA-512:	25884F17DF579965EE2A8AD82454FD7009690130C6A633AA0EE9BAC6BEDE04740CF2E5F821A3B8E413B976F374C3106C33FE634D2282CFEBBBC422355C7EDF14
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.5.6.0.3.5.2.2.8.8.7.4.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.f.6.9.3.6.c.-.4.6.0.b.-.4.3.a.9.-.9.7.0.c.-.4.9.e.9.d.b.a.8.7.e.6.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.a.3.4.5.8.0.6.-.f.4.9.b.-.4.d.7.4.-.a.d.c.c.-.d.b.e.f.1.f.e.d.d.0.9.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.1.c.-.0.0.0.1.-.0.0.1.f.-.c.2.0.8.-.c.7.3.8.8.3.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16bd4e9c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9061603001604426
Encrypted:	false
SSDEEP:	192:eiDF0oXXHKvgsv5yjed+s/u7sxlS274ItWc:ei3X3Kvgsv5yjeJ/u7sDX4ItWc
MD5:	783CD9979B465BD56A312A81AF23779A
SHA1:	29B7032B54142465F189F1AEE7748710FF5EBFB5
SHA-256:	3807EFA10516AB62401122798BBBD67B23AF952ABFEC4ABA8E583557C2237FEC
SHA-512:	1F4927BB2A1739DF6EFB1906AB6697F4C18840324AC832F580726BCE50530D052EF974131D081839588DC5CF79CD8572B03093525BF2BE0F1A2DE2628D50EB9E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.0.6.4.5.6.0.3.5.2.2.2.1.5.4.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.3.3.4.1.c.d.-.6.e.0.e.-.4.d.f.4.-.b.e.c.7.-.3.3.f.c.e.4.b.8.6.7.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.5.b.d.f.d.e.-.4.2.c.5.-.4.8.a.1.-.b.0.8.f.-.4.2.c.2.7.1.8.7.8.0.1.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.d.4.-.0.0.0.1.-.0.0.1.f.-.7.7.7.b.-.c.a.3.8.8.3.b.d.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.b.5.f.!.r.u.n.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.1.9.8.6././.0.1././.3.0.:.1.1.:.4.2.:.4.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	43486
Entropy (8bit):	2.274269068482752
Encrypted:	false
SSDEEP:	192:pWpn6YVH3knIeO5Skb9lt9duccFTKdM9TrRSi8M7XWMNCo8sbvn3:U3kI5Lbjtr3cbrRO4WMNCoT3
MD5:	1688DFDDC1A7CFFD64ABAE1D9FDF5B4B
SHA1:	B829431D220B16F3C17A2535A380A8B65624A314
SHA-256:	6B62B0BBDB73F05CACAE57352DB90055E6B0F94D72824FCAFD8B578545FB72F5
SHA-512:	D0B31EEED1272279E27C4432988DBEA82E29E43C03D932F8D72C7403C6E7C329073B620062AA836934A88528C64AF94016C3532D3A614522C9BB64C6686F8551
Malicious:	false
Preview:	MDMP....... ..........c....................................$...p-..........T.......8...........T...........8................................................................................................U...........B...... .......GenuineIntelW...........T..............c.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Aug 31 21:47:16 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	44546
Entropy (8bit):	2.2181879012483754
Encrypted:	false
SSDEEP:	192:pxpn6YeHYD1+BrO5SkbTIhOPNWacqTfvRaNFFnTSs/FRmBpFLf//fS:YU1+M5LbTKNqTfvA/W4mTpX
MD5:	88AD55E140DCF676E1F10C35D308EEFA
SHA1:	79BC019333884EF72AC9BC04A8F692EC808C806A
SHA-256:	B98701697E90C5116F4588830C0A94BAE6C702982CF90A03F14E85715F035BFF
SHA-512:	3797FDF24B4AF08730EA694194D645D821C0AB367AB92A4A1204009F2D5912CAA5580C8644E3D16AB4C4543F16D8D05EBCC4FAE69DEE897483601C7739636B95
Malicious:	false
Preview:	MDMP....... ..........c........................................p-..........T.......8...........T............................................................................................................U...........B...... .......GenuineIntelW...........T..............c.............................0..1...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4507.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Aug 31 21:47:17 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	49244
Entropy (8bit):	2.0375918571791765
Encrypted:	false
SSDEEP:	192:+8Vu5UeHny7OAOXzLtpRpCCcf/v/e+b3xFr8X+M/t8vKc:+hy7YXHtpRpc3Hew3Lr8X+0c
MD5:	E7CC47358ED5F64B03295BD8DB88DFCB
SHA1:	2BF9AEDCC11C1F2724D7BDAF396546B415C05736
SHA-256:	5BC1E47342D3F3553F48F8C96ADFF79E14B22903D4D73EA625676F263B854E22
SHA-512:	226FD21F0E7735205C2E4D702B8F10D01E0D22F148B00295088445333AC7717321E8D31AC5CA7D6ECC2CA845E80538FC55EA7B7D8499CBB5E19E2659428045E9
Malicious:	false
Preview:	MDMP....... ..........c........................\...........$...4.......T....*..........`.......8...........T...............D...........X...........D....................................................................U...........B..............GenuineIntelW...........T.......L......c.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4575.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8252
Entropy (8bit):	3.6875080044315642
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiLb6y6Ya496PgmfTUSJD+pBP89b9jmsfpfm:RrlsNiX6y6YF6PgmfTUSJ19jFfs
MD5:	6F9B680C0E9FD815034863A19A09F0CA
SHA1:	EF8AA76D4DFEBBA9FF3340A0D9579F435D130B91
SHA-256:	BA7DD8511B31E67468312420ABCB7A5D438566594B9ADD94D5271171F6EC00A4
SHA-512:	268B672BD84BF35EF5BF28A84912D4BB240E7C4778734B90987AFCE87B1B390D33D69BD92391D9437BC6A89B659CED4098417948CAFB400A0E28DA8C51B1DDCD
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.2.3.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4640.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8268
Entropy (8bit):	3.690507572614585
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNivM6G6YBa867gmfTUSJD+pBo89b0PsfGcm:RrlsNiU6G6YBR67gmfTUSJg00fE
MD5:	5BAF0E9F6A37EB6F07C4CBBD6EDED2F3
SHA1:	1F425F18A1ECF3DA4463BF7100F3FDEF47280CCA
SHA-256:	DAFE41118C94B84086C07FFD42C1FDB50B94CC231AE8E7BC1211192F1E939BD6
SHA-512:	C91B0452F18A6DC11C0C36A8F9A3D1A32E6A4C1183800C9855FF4A9B4F7A1DD938C5EF2506C60533120A0D944D8B05A29F751A7205D60C5BAB7AFE9E34A486BB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.3.0.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER473B.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.4618065372208475
Encrypted:	false
SSDEEP:	48:cvIwSD8zsuJgtWI9bqXIWgc8sqYj58fm8M4JCds4FH+q8/Ykn4SrS3d:uITfklRgrsqYiJEGDW3d
MD5:	273FA6851D98B791A1CECC9313B2915A
SHA1:	E037D48FD99464850F5A9AD3FA478DE644EC3B9A
SHA-256:	BB7E6151582D13A2001C87D7F303C17CABFDB3C07066103E77530C6C13940DDB
SHA-512:	08EC2BC2AE2A53E1A8BFB083AF2287EC4F12F583B0DA547B62CCA6C91816274B30E1C060D147116FA2BFE12F1DD8194EF9DA481F2FAA347E3DCDC0A22832CEE9
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672257" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4806.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4630
Entropy (8bit):	4.460891305904555
Encrypted:	false
SSDEEP:	48:cvIwSD8zsuJgtWI9bqXIWgc8sqYjs8fm8M4JCds4FGd+q8/Yh4SrScd:uITfklRgrsqYlJJd1DWcd
MD5:	28FCD77204FC00608F4BFF4357A62849
SHA1:	72FBF7B36FF9735BC7019AACC2C724A548DD8EEE
SHA-256:	33A0DBABCEC16311ADF77B4013428E86D9D46C673D5E1BA78B9A36616B6C2EF1
SHA-512:	0AA5E01B0547DDD64E3F1B9CE9536745861D50B9CA24539059AEC495BFEDD80C63048E38FCF7C940BFC7880D9A6E6A0B1EE457CA0035FDF15412A6149CFA1F53
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672257" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WER495D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8290
Entropy (8bit):	3.6909080311125346
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNipil6V6YejSUCv4gmfdSwGN+pBY89b0Rsfgcm:RrlsNipg6V6YKSUo4gmfdSwX0KfK
MD5:	1A5328611B6731DD8F1FEDE0131B63FC
SHA1:	E8BD88E0C049147C34D40408BFA6BF7E285F4456
SHA-256:	DDC2E94C8077F58151A79623999842212BB140D0E10A54EF56CDC09E5C757CCD
SHA-512:	3EF014F3E35E451A23D764CE981507175A6D5E112E93DB14C94A53CD99DD59AA5B8F315401281702C538F64C67B6A486C0FABC9F726BF4D13B1E488FA82F37A4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.6.4.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B81.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.441534069305487
Encrypted:	false
SSDEEP:	48:cvIwSD8zsuJgtWI9bqXIWgc8sqYj48fm8M4J2+4FsMj+q84IWKcQIcQw0Nd:uITfklRgrsqYJJyPKkw0Nd
MD5:	509A64232BA25A6C9DF94BEE4CB1AFDD
SHA1:	69FC5B75F0A1704818E8A27CDA03D6B98EB8EA35
SHA-256:	3C9F901ADA94016F0E9C44F1C85F5E3489567F38DFA0FF9D354B16B5D0FD11B5
SHA-512:	DF2A12D7889FBF2B93DD077C872035186EE461C956E81F43148AC158D5E9B0B2C8D5A96621503B09683B8F61864E2D87191D5AF6935F1F1A2E78AA6D9089955C
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1672257" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.585348207057707
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OCVOXxB3d1.dll
File size:	94208
MD5:	6691e824d3f1dfe97061b18e4b0ae2c6
SHA1:	19af8b88be376cee1fc0033b29cf38eb0f7fb544
SHA256:	2f37a4c72c53bfb4bf25aa9d04afa12b0e1c2cbbd77bc7048be402633b3e28c3
SHA512:	895f2aced8ebc104db52d08ef156809957101b8807ab521721b04f7782d0e843f4ff57c2861cdfb526120985a89b630788864c235972c31d5a34e89f02bfc893
SSDEEP:	1536:JBBBBBBBBBBBBRuT0rJEkSQLazgSC2aEbTHaBcMqqU+2bbbAV2/S2TrKU7:o+JRbLwgpEbT9MqqDL2/TrK
TLSH:	61937F10B3F14E56E6F26ABB9AB9FE55407D3D106B39B8CB41C409CA0D621E36935F83
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l.u...&...&...&.\.&...&.\;&...&._;&...&...&...&.uH&...&...&}..&._>&...&._.&...&._.&...&._.&...&Rich...&........PE..L......Z...

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x10005820
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH
Time Stamp:	0x5AF0C6DB [Mon May 7 21:36:27 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	1615a1cd5d3909399ee1f2121f6cefbc

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0Ch
mov dword ptr [ebp-0Ch], 00000001h
mov eax, dword ptr [ebp+0Ch]
mov dword ptr [ebp-08h], eax
cmp dword ptr [ebp-08h], 01h
je 00007F4044A91E16h
jmp 00007F4044A91E3Ch
jmp 00007F4044A91E3Ah
push 00000000h
push 00000000h
push 00000000h
push 002454E0h
push 00000000h
push 00000000h
call dword ptr [0024B1B8h]
mov dword ptr [ebp-04h], eax
cmp dword ptr [ebp-04h], 00000000h
je 00007F4044A91E1Ch
mov ecx, dword ptr [ebp-04h]
push ecx
call dword ptr [0024B0E0h]
mov eax, dword ptr [ebp-0Ch]
mov esp, ebp
pop ebp
retn 000Ch
int3
int3
push ebp
mov ebp, esp
sub esp, 5Ch
push esi
push 00000044h
lea eax, dword ptr [ebp-58h]
xorps xmm0, xmm0
push 00000000h
push eax
mov esi, ecx
movdqu dqword ptr [ebp-10h], xmm0
call 00007F4044A965A7h
mov eax, dword ptr [00253D18h]
add esp, 0Ch
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-1Ch], eax
mov eax, dword ptr [00253D14h]
or dword ptr [ebp-2Ch], 00000101h
mov dword ptr [ebp-20h], eax
xor eax, eax
mov word ptr [ebp-28h], ax
lea eax, dword ptr [ebp-10h]
push eax
lea eax, dword ptr [ebp-58h]
mov dword ptr [ebp-58h], 00000044h
push eax
push 00000000h
push 00000000h
push 00000000h
push 00000001h
push 00000000h
push 00000000h
push esi
push 00000000h
call dword ptr [0024B0BCh]
test eax, eax
jne 00007F4044A91E1Dh
call dword ptr [0024B188h]
pop esi
mov esp, ebp
pop ebp
ret
push dword ptr [ebp-10h]

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[IMP] VS2008 SP1 build 30729
[EXP] VS2013 build 21005
[RES] VS2013 build 21005
[LNK] VS2013 build 21005

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x117f0	0x55	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11848	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x15000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc30	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa000	0xa000	False	0.433349609375	data	6.058990446424444	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xb000	0x8000	0x8000	False	0.462799072265625	data	5.861163074824807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x13000	0x1000	0x1000	False	0.2724609375	data	2.8951140973529945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x14000	0x1000	0x1000	False	0.007568359375	ISO-8859 text, with no line terminators	0.00984533685142915	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x15000	0x1000	0x1000	False	0.06982421875	data	0.9533671901378512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0x1000	0x1000	False	0.658203125	data	5.847436562339401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x15060	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	Sleep, TerminateProcess, VerifyVersionInfoW, WaitForMultipleObjects, DeleteCriticalSection, LocalFree, ExpandEnvironmentStringsW, CreateProcessW, SetHandleInformation, lstrcatA, MultiByteToWideChar, CreatePipe, Process32FirstW, Process32NextW, CreateToolhelp32Snapshot, LeaveCriticalSection, CloseHandle, FindFirstFileW, GetFileAttributesW, lstrcmpW, MoveFileW, FindClose, FindNextFileW, SetFileAttributesW, GetNativeSystemInfo, GetComputerNameW, TerminateThread, GetWindowsDirectoryW, GetVolumeInformationW, LoadLibraryA, GetSystemDirectoryW, OpenProcess, InitializeCriticalSection, WaitForSingleObject, VerSetConditionMask, GetDriveTypeW, lstrcatW, IsProcessorFeaturePresent, lstrcmpiW, CreateFileMappingW, lstrlenW, ExitThread, CreateFileW, GetModuleFileNameW, WriteFile, GetModuleHandleW, UnmapViewOfFile, MapViewOfFile, GetFileSize, GetEnvironmentVariableW, lstrcpyA, GetModuleHandleA, VirtualAlloc, GetProcAddress, GetProcessHeap, HeapFree, CreateMutexW, lstrcpyW, GetLastError, SetFilePointerEx, LocalAlloc, GlobalFree, GetTempPathW, MulDiv, GlobalAlloc, GetTickCount, ReadFile, lstrcmpiA, VirtualFree, GetDiskFreeSpaceW, CreateThread, GetCurrentProcess, HeapAlloc, lstrlenA, EnterCriticalSection, ExitProcess
USER32.dll	DrawTextW, DrawTextA, GetDC, ReleaseDC, EndPaint, DestroyWindow, GetMessageW, LoadCursorW, BeginPaint, FillRect, TranslateMessage, RegisterClassExW, SetWindowLongW, MessageBoxA, wsprintfA, SystemParametersInfoW, ShowWindow, CreateWindowExW, SendMessageW, DispatchMessageW, DefWindowProcW, UpdateWindow, GetForegroundWindow, CharUpperBuffW, wsprintfW, LoadIconW
GDI32.dll	DeleteObject, SelectObject, CreateCompatibleDC, CreateCompatibleBitmap, SetPixel, GetObjectW, GetPixel, GetStockObject, TextOutW, SetBkColor, GetDIBits, GetDeviceCaps, DeleteDC, CreateFontW, SetTextColor
ADVAPI32.dll	RegCreateKeyExW, RegCloseKey, RegSetValueExW, OpenProcessToken, GetSidSubAuthority, GetSidSubAuthorityCount, GetTokenInformation, CryptExportKey, CryptAcquireContextW, CryptGetKeyParam, CryptReleaseContext, CryptImportKey, CryptEncrypt, CryptGenKey, CryptDestroyKey, RegQueryValueExW, RegOpenKeyExW, AllocateAndInitializeSid, FreeSid, GetUserNameW
SHELL32.dll	SHGetSpecialFolderPathW, ShellExecuteW, ShellExecuteExW
CRYPT32.dll	CryptBinaryToStringA, CryptStringToBinaryA
WININET.dll	InternetCloseHandle, HttpAddRequestHeadersW, HttpSendRequestW, InternetConnectW, HttpOpenRequestW, InternetOpenW, InternetReadFile
PSAPI.DLL	EnumDeviceDrivers, GetDeviceDriverBaseNameW

Exports

Name	Ordinal	Address
_ReflectiveLoader@0	1	0x10006b40

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 5964, Parent PID: 2452

General

Target ID:	0
Start time:	23:47:08
Start date:	31/08/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll"
Imagebase:	0xa60000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.323778830.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.324075538.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.322931853.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000002.336006148.000000000146B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.322923827.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.323325832.000000000146B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000000.00000000.322856833.000000000146B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: cmd.exePID: 1312, Parent PID: 5964

General

Target ID:	1
Start time:	23:47:09
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Imagebase:	0xd90000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exePID: 1308, Parent PID: 5964

General

Target ID:	2
Start time:	23:47:09
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\OCVOXxB3d1.dll,_ReflectiveLoader@0
Imagebase:	0xaf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000002.00000000.319338350.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000002.339378764.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000000.319302985.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000000.318756215.0000000003590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000000.319333495.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000002.00000000.318854091.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000002.00000000.318848277.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exePID: 1236, Parent PID: 1312

General

Target ID:	3
Start time:	23:47:09
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\OCVOXxB3d1.dll",#1
Imagebase:	0xaf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000003.00000000.318645955.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000000.319112722.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000003.00000000.319117330.00000000707B3000.00000008.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Gandcrab, Description: Yara detected Gandcrab, Source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_ReflectiveLoader, Description: Yara detected ReflectiveLoader, Source: 00000003.00000000.318638611.00000000707AB000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: WerFault.exePID: 5860, Parent PID: 1236

General

Target ID:	7
Start time:	23:47:13
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 632
Imagebase:	0x1300000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 5832, Parent PID: 1308

General

Target ID:	8
Start time:	23:47:13
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 648
Imagebase:	0x7ff61e220000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: WerFault.exePID: 5976, Parent PID: 5964

General

Target ID:	10
Start time:	23:47:15
Start date:	31/08/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5964 -s 580
Imagebase:	0x1300000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OCVOXxB3d1.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_76b43c6d9c1a2a81832137409fd652e3d2404ae8_7cac0383_17015320\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16914f67\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_bc4dba44e5104f2aa4617139c4a8f4569b60d283_82810a17_16bd4e9c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F2B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3F3A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4507.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4575.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4640.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER473B.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4806.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER495D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4B81.tmp.xml

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
OCVOXxB3d1.dll