Loading ...

Play interactive tourEdit tour

Analysis Report officina.dll

Overview

General Information

Sample Name:officina.dll
Analysis ID:288014
MD5:bd3f26523c5cad6fe9632bfd4f6449bc
SHA1:492f9c4bb1bba2f94b889e9de68e9a6b0289de41
SHA256:34ad177800e89a94d27b7ea4f39cd805c2910fa6afcb835501567b59415af0ed
Tags:dllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Creates a COM Internet Explorer object
Writes registry values via WMI
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to load missing DLLs
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6820 cmdline: loaddll32.exe 'C:\Users\user\Desktop\officina.dll' MD5: 6A3082E6152C823BF9EB895EA06EA605)
    • rundll32.exe (PID: 6828 cmdline: C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6836 cmdline: rundll32.exe C:\Users\user\Desktop\officina.dll,Crossice MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6872 cmdline: rundll32.exe C:\Users\user\Desktop\officina.dll,Softmore MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6888 cmdline: rundll32.exe C:\Users\user\Desktop\officina.dll,Waterwell MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5340 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5368 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB9970 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6DDB9970
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04271B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_04271B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048D1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_048D1B81

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: unknownDNS traffic detected: query: pop53334.yahoo.com replaycode: Name error (3)
            Source: msapplication.xml1.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1e43f1e7,0x01d69050</date><accdate>0x1e43f1e7,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x1e43f1e7,0x01d69050</date><accdate>0x1e43f1e7,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1e4b18f9,0x01d69050</date><accdate>0x1e4b18f9,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1e4b18f9,0x01d69050</date><accdate>0x1e4b18f9,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1e4b18f9,0x01d69050</date><accdate>0x1e4b18f9,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.20.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x1e4b18f9,0x01d69050</date><accdate>0x1e4b18f9,0x01d69050</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: pop53334.yahoo.com
            Source: {487E532B-FC43-11EA-90E8-ECF4BBEA1588}.dat.20.drString found in binary or memory: http://pop53334.yahoo.com/images/eO_2FHcQ5_2/B5wg8qhG84E32g/FqPQDHGWAZkOyXw8pNlUV/trtwgQN0WsGncY69/O
            Source: msapplication.xml.20.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.20.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.20.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.20.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.20.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.20.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.20.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.20.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379594362.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.457990441.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379639124.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379460665.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379594362.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.457990441.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379639124.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379460665.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD51AE6 GetProcAddress,NtCreateSection,memset,1_2_6DD51AE6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD5218C NtMapViewOfSection,1_2_6DD5218C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD52685 NtQueryVirtualMemory,1_2_6DD52685
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04271AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_04271AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0427B0BD NtQueryVirtualMemory,2_2_0427B0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048D1AB7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_048D1AB7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048DB0BD NtQueryVirtualMemory,3_2_048DB0BD
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD524641_2_6DD52464
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD6FD901_2_6DD6FD90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD92BC01_2_6DD92BC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_042794212_2_04279421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0427AE9C2_2_0427AE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048DAE9C3_2_048DAE9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048D94213_2_048D9421
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DD98CF0 appears 60 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6DDA54E0 appears 71 times
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
            Source: classification engineClassification label: mal56.bank.troj.winDLL@12/20@6/1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04277790 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_04277790
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF133E70B94B450750.TMPJump to behavior
            Source: officina.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\officina.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.dll',DllRegisterServer
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,Crossice
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,Softmore
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,Waterwell
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe 'C:\Users\user\Desktop\officina.dll',DllRegisterServerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,CrossiceJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,SoftmoreJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\officina.dll,WaterwellJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: officina.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: officina.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: e:\Except\95\Pretty\Ease\Green\94\Industry\22\14\move\play\Well\While.pdb source: rundll32.exe, officina.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD52453 push ecx; ret 1_2_6DD52463
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD52400 push ecx; ret 1_2_6DD52409
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD651ED push esi; ret 1_2_6DD651F6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0427AE8B push ecx; ret 2_2_0427AE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_0427AAD0 push ecx; ret 2_2_0427AAD9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_3_04CE849B pushfd ; retn 0000h3_3_04CE849C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048DAE8B push ecx; ret 3_2_048DAE9B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048DAAD0 push ecx; ret 3_2_048DAAD9

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379594362.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.457990441.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379639124.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379460665.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD92BC0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,1_2_6DD92BC0
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB9970 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,1_2_6DDB9970
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_04271B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_04271B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_048D1B81 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_048D1B81
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD521E3 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GetProcAddress,1_2_6DD521E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB5790 IsDebuggerPresent,1_2_6DDB5790
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB4510 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,LdrInitializeThunk,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV,1_2_6DDB4510
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDA95D0 mov eax, dword ptr fs:[00000030h]1_2_6DDA95D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB8FF0 mov ecx, dword ptr fs:[00000030h]1_2_6DDB8FF0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD7199E mov eax, dword ptr fs:[00000030h]1_2_6DD7199E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB9130 mov ecx, dword ptr fs:[00000030h]1_2_6DDB9130
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD718D4 mov eax, dword ptr fs:[00000030h]1_2_6DD718D4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDB9090 mov ecx, dword ptr fs:[00000030h]1_2_6DDB9090
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDD4F7E mov eax, dword ptr fs:[00000030h]1_2_6DDD4F7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDD4ABE push dword ptr fs:[00000030h]1_2_6DDD4ABE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DDD4EB4 mov eax, dword ptr fs:[00000030h]1_2_6DDD4EB4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD518A7 InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,1_2_6DD518A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD947B0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6DD947B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD94900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_6DD94900
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD98B60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_6DD98B60
            Source: rundll32.exe, 00000001.00000002.456362907.0000000003930000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: rundll32.exe, 00000001.00000002.456362907.0000000003930000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000001.00000002.456362907.0000000003930000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000001.00000002.456362907.0000000003930000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD94490 cpuid 1_2_6DD94490
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD513AC GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_6DD513AC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_042712A7 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_042712A7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_6DD51CFD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_6DD51CFD

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379594362.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.457990441.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379639124.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379460665.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.379559928.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379381570.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379611383.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379415722.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379525566.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379594362.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.457990441.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379639124.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.379460665.00000000058A8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6828, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobApplication Shimming1DLL Side-Loading1Process Injection2LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Application Shimming1Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery13Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 288014 Sample: officina.dll Startdate: 21/09/2020 Architecture: WINDOWS Score: 56 24 pop53334.yahoo.com 2->24 30 Yara detected  Ursnif 2->30 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 10 83 2->9         started        signatures3 process4 dnsIp5 12 rundll32.exe 7->12         started        15 rundll32.exe 7->15         started        17 rundll32.exe 7->17         started        19 rundll32.exe 7->19         started        28 192.168.2.1 unknown unknown 9->28 21 iexplore.exe 32 9->21         started        process6 dnsIp7 32 Writes registry values via WMI 12->32 34 Creates a COM Internet Explorer object 12->34 26 pop53334.yahoo.com 21->26 signatures8

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.