Analysis Report 53b4ee92_by_Libranalysis

Overview

General Information

Sample Name:	53b4ee92_by_Libranalysis (renamed file extension from none to dll)
Analysis ID:	423961
MD5:	53b4ee92df6b24fe6135942c89dbcde6
SHA1:	eb1af59b42b72f746534b4b86f64bfb3f32d2421
SHA256:	d87d8371cc8f319bbdd154d7fa9f2f3f7d84aa116d1c4d376976579ac66c87e5
Tags:	Dridex
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 4.2.rundll32.exe.6eec0000.4.unpack

Malware Configuration Extractor: Dridex {"Version": 40112, "C2 list": ["210.65.244.187:443", "162.241.41.92:2303", "46.231.204.10:8172", "185.183.159.100:4125"], "RC4 keys": ["13iy344i0phzqg3KDMwrVPQYVvhM8BSe44BE2Ue", "kzKSt8qEQHayhTKyYDTEtLRRGlRbNhxvyrGI8VdjNHz11pJuXPJ3hNiYRIZjJFGS7xJ"]}

Multi AV Scanner detection for submitted file

Source: 53b4ee92_by_Libranalysis.dll	Virustotal: Detection: 68%			Perma Link
Source: 53b4ee92_by_Libranalysis.dll	ReversingLabs: Detection: 74%

Machine Learning detection for sample

Source: 53b4ee92_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvfw32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb`z% source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbCi source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb\|z9 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbjz+ source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbqi> source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: FgvmFpm.pdb source: loaddll32.exe, 00000001.00000002.644007951.000000006FC58000.00000002.00020000.sdmp, 53b4ee92_by_Libranalysis.dll
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msvfw32.pdb!i source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbfz? source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbwi8 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.715353567.00000000050A1000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbkB source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 210.65.244.187:443
Source: Malware configuration extractor	IPs: 162.241.41.92:2303
Source: Malware configuration extractor	IPs: 46.231.204.10:8172
Source: Malware configuration extractor	IPs: 185.183.159.100:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 210.65.244.187 210.65.244.187
Source: Joe Sandbox View	IP Address: 162.241.41.92 162.241.41.92

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HINETDataCommunicationBusinessGroupTW HINETDataCommunicationBusinessGroupTW
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ASN-METANETRoutingpeeringissuesnocmetanetchCH ASN-METANETRoutingpeeringissuesnocmetanetchCH

Source: WerFault.exe, 0000000B.00000003.728089253.0000000004A52000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft%
Source: WerFault.exe, 0000000B.00000003.728111768.0000000004AA3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000004.00000002.733102404.000000006EEC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.6eec0000.4.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC54450	1_2_6FC54450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED9348	4_2_6EED9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED0754	4_2_6EED0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC1494	4_2_6EEC1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC846C	4_2_6EEC846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED1460	4_2_6EED1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED1D58	4_2_6EED1D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EECA52C	4_2_6EECA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC90CC	4_2_6EEC90CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 736

Sample file is different than original file name gathered from version info

Source: 53b4ee92_by_Libranalysis.dll

Binary or memory string: OriginalFilenamer2thla.dllN vs 53b4ee92_by_Libranalysis.dll

Uses 32bit PE files

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6932

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE01.tmp

Jump to behavior

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1

Source: 53b4ee92_by_Libranalysis.dll	Virustotal: Detection: 68%
Source: 53b4ee92_by_Libranalysis.dll	ReversingLabs: Detection: 74%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 736
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1	Jump to behavior

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvfw32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb`z% source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbCi source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb\|z9 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbjz+ source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbqi> source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: FgvmFpm.pdb source: loaddll32.exe, 00000001.00000002.644007951.000000006FC58000.00000002.00020000.sdmp, 53b4ee92_by_Libranalysis.dll
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msvfw32.pdb!i source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbfz? source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbwi8 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.715353567.00000000050A1000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbkB source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC433D3 push ebp; retf	1_2_6FC433F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC457F2 push ebx; retf	1_2_6FC457F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4594C push ss; iretd	1_2_6FC4595D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4334D push ebx; retf	1_2_6FC43373
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44351 push ebx; retf	1_2_6FC44357
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44370 push ebx; retf	1_2_6FC44377
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC43973 push ebx; retf	1_2_6FC43976
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44F16 push ebp; retf	1_2_6FC44F17
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44934 push ebx; retf	1_2_6FC44937
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC472C9 push ebp; iretd	1_2_6FC472CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC470EE push ebx; retf	1_2_6FC470F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC458EA push ebx; retf	1_2_6FC458F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44C96 push ebx; retf	1_2_6FC44C97
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC436A0 push ebp; retf	1_2_6FC436F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC456B7 push ebx; retf	1_2_6FC456B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC43C49 push edi; retf	1_2_6FC43C56
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4647C push ebx; iretd	1_2_6FC4647E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4740B push ebx; retf	1_2_6FC47418
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44C29 push di; iretd	1_2_6FC44C2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44A32 push esp; retf	1_2_6FC44A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EECF6CC push esi; mov dword ptr [esp], 00000000h	4_2_6EECF6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.15745095163

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.728244584.0000000004AD3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000B.00000003.724531096.0000000004ADA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6EEC6D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6EEC6D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

4_2_6EEC6D50

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6EEC6D50

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
210.65.244.187	unknown	Taiwan; Republic of China (ROC)	3462	HINETDataCommunicationBusinessGroupTW	true
162.241.41.92	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
46.231.204.10	unknown	Switzerland	21069	ASN-METANETRoutingpeeringissuesnocmetanetchCH	true
185.183.159.100	unknown	Germany	197540	NETCUP-ASnetcupGmbHDE	true

AV Detection:

Found malware configuration

Source: 4.2.rundll32.exe.6eec0000.4.unpack

Multi AV Scanner detection for submitted file

Source: 53b4ee92_by_Libranalysis.dll	Virustotal: Detection: 68%			Perma Link
Source: 53b4ee92_by_Libranalysis.dll	ReversingLabs: Detection: 74%

Machine Learning detection for sample

Source: 53b4ee92_by_Libranalysis.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: msvfw32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb`z% source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbCi source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb\|z9 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbjz+ source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbqi> source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: FgvmFpm.pdb source: loaddll32.exe, 00000001.00000002.644007951.000000006FC58000.00000002.00020000.sdmp, 53b4ee92_by_Libranalysis.dll
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msvfw32.pdb!i source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbfz? source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbwi8 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.715353567.00000000050A1000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbkB source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 210.65.244.187:443
Source: Malware configuration extractor	IPs: 162.241.41.92:2303
Source: Malware configuration extractor	IPs: 46.231.204.10:8172
Source: Malware configuration extractor	IPs: 185.183.159.100:4125

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 210.65.244.187 210.65.244.187
Source: Joe Sandbox View	IP Address: 162.241.41.92 162.241.41.92

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HINETDataCommunicationBusinessGroupTW HINETDataCommunicationBusinessGroupTW
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: ASN-METANETRoutingpeeringissuesnocmetanetchCH ASN-METANETRoutingpeeringissuesnocmetanetchCH

Source: WerFault.exe, 0000000B.00000003.728089253.0000000004A52000.00000004.00000001.sdmp	String found in binary or memory: http://crl.microsoft%
Source: WerFault.exe, 0000000B.00000003.728111768.0000000004AA3000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy

E-Banking Fraud:

Yara detected Dridex unpacked file

Source: Yara match	File source: 00000004.00000002.733102404.000000006EEC1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.6eec0000.4.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC54450	1_2_6FC54450
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED9348	4_2_6EED9348
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED0754	4_2_6EED0754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC1494	4_2_6EEC1494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC846C	4_2_6EEC846C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED1460	4_2_6EED1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EED1D58	4_2_6EED1D58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EECA52C	4_2_6EECA52C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EEC90CC	4_2_6EEC90CC

One or more processes crash

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 736

Sample file is different than original file name gathered from version info

Source: 53b4ee92_by_Libranalysis.dll

Binary or memory string: OriginalFilenamer2thla.dllN vs 53b4ee92_by_Libranalysis.dll

Uses 32bit PE files

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal72.troj.winDLL@6/4@0/4

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6932

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE01.tmp

Jump to behavior

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1

Source: 53b4ee92_by_Libranalysis.dll	Virustotal: Detection: 68%
Source: 53b4ee92_by_Libranalysis.dll	ReversingLabs: Detection: 74%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6932 -s 736
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1	Jump to behavior

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: 53b4ee92_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: msvfw32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: sfc_os.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: bcrypt.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcrt.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: glu32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: advapi32.pdb`z% source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdbCi source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: fltLib.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: advapi32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wsspicli.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shell32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: msvcp_win.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb\|z9 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdbjz+ source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wimm32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: mpr.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wwin32u.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: setupapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: imagehlp.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wUxTheme.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: dwmapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdbqi> source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000000B.00000003.708846171.0000000002D72000.00000004.00000001.sdmp
Source:	Binary string: shcore.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: opengl32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: FgvmFpm.pdb source: loaddll32.exe, 00000001.00000002.644007951.000000006FC58000.00000002.00020000.sdmp, 53b4ee92_by_Libranalysis.dll
Source:	Binary string: profapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ws2_32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: winspool.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wgdi32full.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: shell32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: sechost.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: iphlpapi.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: winmm.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: powrprof.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msctf.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: msvfw32.pdb!i source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: shlwapi.pdbfz? source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: ole32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: AcLayers.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: opengl32.pdbwi8 source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: comctl32v582.pdb source: WerFault.exe, 0000000B.00000003.715353567.00000000050A1000.00000004.00000040.sdmp
Source:	Binary string: cryptbase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: propsys.pdbkB source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000B.00000003.709346864.0000000002D7E000.00000004.00000001.sdmp
Source:	Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000B.00000003.715316380.0000000005090000.00000004.00000040.sdmp
Source:	Binary string: combase.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000000B.00000003.709320403.0000000002D78000.00000004.00000001.sdmp
Source:	Binary string: rundll32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: oleaut32.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: sfc.pdb source: WerFault.exe, 0000000B.00000003.715329287.0000000005097000.00000004.00000040.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp
Source:	Binary string: wuser32.pdb source: WerFault.exe, 0000000B.00000003.715278200.0000000004EF1000.00000004.00000001.sdmp

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC433D3 push ebp; retf	1_2_6FC433F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC457F2 push ebx; retf	1_2_6FC457F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4594C push ss; iretd	1_2_6FC4595D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4334D push ebx; retf	1_2_6FC43373
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44351 push ebx; retf	1_2_6FC44357
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44370 push ebx; retf	1_2_6FC44377
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC43973 push ebx; retf	1_2_6FC43976
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44F16 push ebp; retf	1_2_6FC44F17
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44934 push ebx; retf	1_2_6FC44937
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC472C9 push ebp; iretd	1_2_6FC472CA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC470EE push ebx; retf	1_2_6FC470F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC458EA push ebx; retf	1_2_6FC458F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44C96 push ebx; retf	1_2_6FC44C97
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC436A0 push ebp; retf	1_2_6FC436F6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC456B7 push ebx; retf	1_2_6FC456B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC43C49 push edi; retf	1_2_6FC43C56
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4647C push ebx; iretd	1_2_6FC4647E
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC4740B push ebx; retf	1_2_6FC47418
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44C29 push di; iretd	1_2_6FC44C2D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6FC44A32 push esp; retf	1_2_6FC44A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6EECF6CC push esi; mov dword ptr [esp], 00000000h	4_2_6EECF6CD

Source: initial sample

Static PE information: section name: .text entropy: 7.15745095163

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000B.00000003.728244584.0000000004AD3000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000B.00000003.724531096.0000000004ADA000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000B.00000002.731045915.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6EEC6D50

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\53b4ee92_by_Libranalysis.dll',#1

Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6EEC6D50

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_6EEC6D50

ID:	423961
Product:	CloudBasic
Start time:	14:44:36
Start date:	25.05.2021
Sample:	53b4ee92_by_Libranalysis
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	53b4ee92df6b24fe6135942c89dbcde6
SHA1:	eb1af59b42b72f746534b4b86f64bfb3f32d2421
SHA256:	d87d8371cc8f319bbdd154d7fa9f2f3f7d84aa116d1c4d376976579ac66c87e5
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_rundll32.exe_412931fe53b62fb8b4e817d1b22f973c2f6a19c_82810a17_19571ddd\Report.wer	Little-endian UTF-16 Unicode text, with CRLF line terminators	039BA73DBC9401C004977E613B960125	3D26331B03ACAA73F1FBC9E85C18B47BB6E73D93	12526EF2A26DFC69D5ED77B82E1A045947031ECFECBAA8040777481D1C68290A
C:\ProgramData\Microsoft\Windows\WER\Temp\WER6CC.tmp.WERInternalMetadata.xml	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators	8F55FF9D76D68117CEC62B0F74EB3769	9C3D1BD1C33DF02B9D2F652E3A028201C35901DC	DB254223AC11C9169F078CC976053B2A27BC73440B331C91891C7F7C91F880E9
C:\ProgramData\Microsoft\Windows\WER\Temp\WER92F.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	5333CEE14D200FD049BF80A2D8281029	64DA350210327DE37A95CA92B9A4F4F17FFD76D1	13645FE1272DFD4759E79104DD1CA6EF5A511FBF56262986179EECE6BC7AF2FB
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE01.tmp.dmp	Mini DuMP crash report, 14 streams, Tue May 25 12:45:55 2021, 0x1205a4 type	61A84262ACC255B32CACC3145002BF29	43F909F8A8BC5E4E8A615EF7690A303749ECB857	BEF5632278EAF1B233A6A9DFEDA6842E1F0432C1DDECB7D06BD6286CACABBE97

Analysis Report 53b4ee92_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs