Loading ...

Play interactive tourEdit tour

Analysis Report officina.Dll

Overview

General Information

Sample Name:officina.Dll
Analysis ID:287926
MD5:0c47d472a69e47a50f5c4c794e8c4376
SHA1:62d75a0d19ebb1d24d5519d7aca77876ff2ed5a3
SHA256:dfbc5b7983de8ea77c2eaee6b821132699737755b27007c6f932ac673a6a1ea8
Tags:goziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Creates a COM Internet Explorer object
Writes registry values via WMI
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 1548 cmdline: loaddll32.exe 'C:\Users\user\Desktop\officina.Dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • rundll32.exe (PID: 2132 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.Dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4120 cmdline: rundll32.exe C:\Users\user\Desktop\officina.Dll,Doorneighbor MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 2716 cmdline: rundll32.exe C:\Users\user\Desktop\officina.Dll,Hitclaim MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6148 cmdline: rundll32.exe C:\Users\user\Desktop\officina.Dll,Yearthing MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5828 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 872 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5B8E90 FindFirstFileExA,1_2_6E5B8E90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_011D1B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F91B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04F91B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05521B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_05521B81

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: unknownDNS traffic detected: query: pop53334.yahoo.com replaycode: Server failure (2)
            Source: unknownDNS traffic detected: query: pop53334.yahoo.com replaycode: Name error (3)
            Source: unknownDNS traffic detected: queries for: pop53334.yahoo.com
            Source: ~DF23AC15F7B41AD67D.TMP.23.dr, {4BBF8E5D-FC17-11EA-90E2-ECF4BB862DED}.dat.23.drString found in binary or memory: http://pop53334.yahoo.com/images/cjNLOfnmDRtZkYRiCFIK/i_2FF8gmC7vkCsWp_2B/OplnzOraYaweMM5TOqtvi4/ohV

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569802054.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569767267.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569919148.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569870691.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2132, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.399002865.000000000158B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569802054.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569767267.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569919148.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569870691.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2132, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E571AE6 GetProcAddress,NtCreateSection,memset,1_2_6E571AE6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E57218C NtMapViewOfSection,1_2_6E57218C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E572685 NtQueryVirtualMemory,1_2_6E572685
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011DB0BD NtQueryVirtualMemory,2_2_011DB0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D1AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,GetTickCount,memcpy,NtClose,NtClose,2_2_011D1AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F91AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,GetTickCount,memcpy,NtClose,NtClose,3_2_04F91AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F9B0BD NtQueryVirtualMemory,3_2_04F9B0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05521AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,GetTickCount,memcpy,NtClose,NtClose,4_2_05521AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0552B0BD NtQueryVirtualMemory,4_2_0552B0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5724641_2_6E572464
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5C28501_2_6E5C2850
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D94212_2_011D9421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011DAE9C2_2_011DAE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F9AE9C3_2_04F9AE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F994213_2_04F99421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_055294214_2_05529421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0552AE9C4_2_0552AE9C
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal56.bank.troj.winDLL@12/10@3/0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D7790 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_011D7790
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\LowJump to behavior
            Source: officina.DllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.Dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\officina.Dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.Dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,Doorneighbor
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,Hitclaim
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,Yearthing
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.Dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,DoorneighborJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,HitclaimJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.Dll,YearthingJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: officina.DllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: officina.DllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\held\Cat\10\60\84\46\scale\Those\Chart\64\by\Value\Bone\74\24\be.pdb source: rundll32.exe, 00000001.00000002.625901804.000000006E5C9000.00000002.00020000.sdmp, officina.Dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E572453 push ecx; ret 1_2_6E572463
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E572400 push ecx; ret 1_2_6E572409
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5E4600 push ebp; retf 1_2_6E5E4604
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5E570F push dword ptr [eax]; ret 1_2_6E5E5732
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011DAE8B push ecx; ret 2_2_011DAE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011DAAD0 push ecx; ret 2_2_011DAAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F9AAD0 push ecx; ret 3_2_04F9AAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F9AE8B push ecx; ret 3_2_04F9AE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0552AAD0 push ecx; ret 4_2_0552AAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0552AE8B push ecx; ret 4_2_0552AE9B

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569802054.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569767267.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569919148.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569870691.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2132, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E594730 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6E594730
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5B8E90 FindFirstFileExA,1_2_6E5B8E90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_011D1B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F91B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_04F91B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_05521B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_05521B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5A2CC0 GetSystemInfo,1_2_6E5A2CC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5721E3 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetProcAddress,GetProcAddress,1_2_6E5721E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E59B470 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E59B470
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5AFD10 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,1_2_6E5AFD10
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E59FAB0 mov ecx, dword ptr fs:[00000030h]1_2_6E59FAB0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5E2AA7 mov eax, dword ptr fs:[00000030h]1_2_6E5E2AA7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5E29DD mov eax, dword ptr fs:[00000030h]1_2_6E5E29DD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5E25E7 push dword ptr fs:[00000030h]1_2_6E5E25E7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5718A7 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,1_2_6E5718A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E59B470 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E59B470
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E596240 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6E596240
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E596390 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6E596390
            Source: rundll32.exe, 00000001.00000002.623602356.0000000003220000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.623602356.0000000003220000.00000002.00000001.sdmpBinary or memory string: NProgram Manager
            Source: rundll32.exe, 00000001.00000002.623602356.0000000003220000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.623602356.0000000003220000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_011D12A7 cpuid 2_2_011D12A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E5713AC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_6E5713AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04F912A7 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_04F912A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6E571CFD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6E571CFD

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569802054.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569767267.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569919148.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569870691.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2132, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.570064546.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.570024570.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569955229.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569995167.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.623772511.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569802054.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569767267.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569919148.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.569870691.0000000005008000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2132, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Process Injection2LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Obfuscated Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery14Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 287926 Sample: officina.Dll Startdate: 21/09/2020 Architecture: WINDOWS Score: 56 24 Yara detected  Ursnif 2->24 6 loaddll32.exe 1 2->6         started        8 iexplore.exe 7 61 2->8         started        process3 process4 10 rundll32.exe 6->10         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        17 rundll32.exe 6->17         started        19 iexplore.exe 36 8->19         started        dnsIp5 26 Writes registry values via WMI 10->26 28 Creates a COM Internet Explorer object 10->28 22 pop53334.yahoo.com 19->22 signatures6

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.