Analysis Report 0pz1on1.dll

Overview

General Information

Sample Name:	0pz1on1.dll
Analysis ID:	320364
MD5:	3bd94cd9d5af80967956a0c2789bf180
SHA1:	7d0b946bfa133ec9c10cb1cca0007139597b2011
SHA256:	e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
Tags:	dllgoziisfbursnif
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Creates a COM Internet Explorer object

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to query CPU information (cpuid)

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Found malware configuration

Source: loaddll32.exe.3924.0.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: 0pz1on1.dll

ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: 0pz1on1.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_011B523B

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxfYNsV0RjT7n0rzu_2/FVrjLW0Lx1_2FNeyWne9gk/0rFmuW9zFu5BV/c7RWa33N/1NgLVJFWI2qb9NTj9vbwwI_/2F2HNzSZxp/DIXVF0dEz33_2BLha/h6wWaOyw/2.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: billinglines.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: billinglines.com

Source: {8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat.21.dr	String found in binary or memory: http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.475496592.00000000013FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01181E57 GetProcAddress,NtCreateSection,memset,	0_2_01181E57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011811EA NtMapViewOfSection,	0_2_011811EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011823F5 NtQueryVirtualMemory,	0_2_011823F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_011B6066
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BB10D NtQueryVirtualMemory,	0_2_011BB10D

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011821D4	0_2_011821D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011B15CD	0_2_011B15CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAEEC	0_2_011BAEEC

Sample file is different than original file name gathered from version info

Source: 0pz1on1.dll

Binary or memory string: OriginalFilenameMcx2Prov.exej% vs 0pz1on1.dll

Source: classification engine

Classification label: mal80.bank.troj.winDLL@13/44@2/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_011B5946

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0pz1on1.dll

ReversingLabs: Detection: 20%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

PE file contains sections with non-standard names

Source: 0pz1on1.dll

Static PE information: section name: .rdata8

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011821C3 push ecx; ret	0_2_011821D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01182170 push ecx; ret	0_2_01182179
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FE1F push edi; retf	0_2_1000FE34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F45E push ebx; ret	0_2_1000F460
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D70A push ecx; ret	0_2_1000D70B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011316 push edx; ret	0_2_10011317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010963 push 6A2E45E0h; ret	0_2_10010968
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001056C push ds; retf	0_2_1001056D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D3C9 push eax; ret	0_2_1000D3CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100115DE push eax; retf	0_2_100115DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100061F0 push ecx; ret	0_2_10006420
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAB20 push ecx; ret	0_2_011BAB29
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAEDB push ecx; ret	0_2_011BAEEB

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001070 EntryPoint,CloseMetaFile,GetWindowTextLengthA,EndDoc,AbortDoc,AbortDoc,GetMenuCheckMarkDimensions,CloseEnhMetaFile,CreateMenu,IsCharAlphaNumericW,GetLastActivePopup,IsIconic,CloseClipboard,CloseFigure,GetMapMode,CharLowerW,DestroyCursor,GetKeyboardLayout,IsWindowVisible,VkKeyScanA,CreatePopupMenu,CancelDC,GetSysColor,CharUpperW,AbortPath,AbortPath,GetKeyState,GetFocus,GetColorSpace,ReleaseCapture,GetDesktopWindow,InSendMessage,UpdateColors,IsGUIThread,CreateSolidBrush,CreateSolidBrush,WindowFromDC,GetLastActivePopup,IsCharUpperW,DestroyMenu,CreateMetaFileA,GetTopWindow,DestroyCursor,GetMessageTime,GetTextCharset,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCur

0_2_10001070

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 5420	Thread sleep count: 58 > 30			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe TID: 5840	Thread sleep count: 49 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

0_2_011B523B

Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B65CE cpuid

0_2_011B65CE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01181006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_01181006

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_011B65CE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011810D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_011810D8

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
195.110.58.42	unknown	Lithuania		47583	AS-HOSTINGERLT	false
143.204.15.36	unknown	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
billinglines.com	195.110.58.42	true
ocsp.sca1b.amazontrust.com	143.204.15.36	true

AV Detection:

Found malware configuration

Source: loaddll32.exe.3924.0.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Multi AV Scanner detection for submitted file

Source: 0pz1on1.dll

ReversingLabs: Detection: 20%

Machine Learning detection for sample

Source: 0pz1on1.dll

Joe Sandbox ML: detected

Source: C:\Windows\System32\loaddll32.exe

0_2_011B523B

Networking:

Creates a COM Internet Explorer object

Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler	Jump to behavior

Source: global traffic	HTTP traffic detected: GET /images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxfYNsV0RjT7n0rzu_2/FVrjLW0Lx1_2FNeyWne9gk/0rFmuW9zFu5BV/c7RWa33N/1NgLVJFWI2qb9NTj9vbwwI_/2F2HNzSZxp/DIXVF0dEz33_2BLha/h6wWaOyw/2.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: billinglines.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive

Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: billinglines.com

Source: {8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat.21.dr	String found in binary or memory: http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf
Source: msapplication.xml.3.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.dr	String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.475496592.00000000013FB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01181E57 GetProcAddress,NtCreateSection,memset,	0_2_01181E57
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011811EA NtMapViewOfSection,	0_2_011811EA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011823F5 NtQueryVirtualMemory,	0_2_011823F5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_011B6066
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BB10D NtQueryVirtualMemory,	0_2_011BB10D

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011821D4	0_2_011821D4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011B15CD	0_2_011B15CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAEEC	0_2_011BAEEC

Sample file is different than original file name gathered from version info

Source: 0pz1on1.dll

Binary or memory string: OriginalFilenameMcx2Prov.exej% vs 0pz1on1.dll

Source: classification engine

Classification label: mal80.bank.troj.winDLL@13/44@2/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_011B5946

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0pz1on1.dll

ReversingLabs: Detection: 20%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

PE file contains sections with non-standard names

Source: 0pz1on1.dll

Static PE information: section name: .rdata8

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011821C3 push ecx; ret	0_2_011821D3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01182170 push ecx; ret	0_2_01182179
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FE1F push edi; retf	0_2_1000FE34
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F45E push ebx; ret	0_2_1000F460
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D70A push ecx; ret	0_2_1000D70B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011316 push edx; ret	0_2_10011317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010963 push 6A2E45E0h; ret	0_2_10010968
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001056C push ds; retf	0_2_1001056D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D3C9 push eax; ret	0_2_1000D3CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100115DE push eax; retf	0_2_100115DF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100061F0 push ecx; ret	0_2_10006420
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAB20 push ecx; ret	0_2_011BAB29
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011BAEDB push ecx; ret	0_2_011BAEEB

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Windows\System32\loaddll32.exe

0_2_10001070

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\loaddll32.exe TID: 5420	Thread sleep count: 58 > 30			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe TID: 5840	Thread sleep count: 49 > 30			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

0_2_011B523B

Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B65CE cpuid

0_2_011B65CE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_01181006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

0_2_01181006

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_011B65CE

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011810D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_011810D8

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

ID:	320364
Product:	CloudBasic
Start time:	09:46:44
Start date:	19.11.2020
Sample:	0pz1on1.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	3bd94cd9d5af80967956a0c2789bf180
SHA1:	7d0b946bfa133ec9c10cb1cca0007139597b2011
SHA256:	e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.39%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6B359699-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	156E692BF0C310B80D065D6C9ACD2ECD	29480C7045763B07E4EB98E5FE1160DCFAE79DC0	D85B4AEBE70CCF73654E0F0DC06503490108D1756FC910B903CB155AFE6783CA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8D389D3E-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	1EDA4C84D58B71F3E3FA8435A4175994	1CBA78FA58683C00A3C918AB433DB1EF9E8E39AB	717B3051545F68570C74AD8FA182660D30D4D50D8DE425ADBBDDF16199A0D9A7
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0ABCCC-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	7E33C55C1B36200335D51CB7D1BC6FAB	5EFC490E6396E19F952DDDF74BB5D1A0990A7C52	45C66D8EACB83D4A7361A09EECD1F96528D966A59E945084DD37E98D5C5262D0
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AD7B6B22-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	E4FA8619441F28158107A7CC226DF999	4642B30B3D675D6C79AE54F4A49E785793F4C24F	05BB1F6DA7C2D28C3CFC29EA1B62D4EB93067FC8422B025E02ECF9132CA13F34
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6B35969B-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	ED2AE20F3BACF14448B34B4847330C7D	DD51D88648A7AD7CC93E56A1C0D6900DCE1BE589	23303BDF0FE14B61C84C5E5B15F16ABE50E22DB4870B233638E140ACD5F06D91
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	88BFBF97FAF13DDA7A5EABC79ABA0022	169733E793BB108F5E177A63FCD34904C88173D5	EF9829E71904C99528D847532439A1B9F63D8A782EB5927A318CB834B87EF5D1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0ABCCE-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	E9F9D717ADC9EE1D9A7CF1E2A9A9BEB0	B5CD3040BF411F84942C5D26F08F009947FC833B	7A050EB709E5E86141DFD2FEFD7C0303C779D2708B2B4600EF5FCFED00108360
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AD7B6B24-2A8F-11EB-90E4-ECF4BB862DED}.dat	Microsoft Word Document	93E5AB0ACD821C43CE376B0FABEFAB93	8569A7B3377B518F6394128E59AB49177C8000AD	E00DFD463A7723B812E5EA52431F9501D189F7F4698569379235248308D75727
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	6C8A496DF5142B282E7AE8105F8E4F22	7B1559A5CE6A561BD17DB0FB28EFD8A8BA21A19C	CCD5C15A4363CE47B98C25E00EE72D54C541BA7953D071AA9FCCB7098D4FFDF3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	6F34A888CA43A132BD51B8487D7B7608	FE68CD6D9818E898C747B8FA1FE16257B8ECC8FB	448240B2AF430CA688357A7AFEF6B4D636835C551FCBD2CFD24EE584DAAAF546
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	668C77A8F02C9A2CA3804D701AB3DF26	E989A4234C09039E41A9F4386506A92830F92AD1	AC40FA129BFA5B063D62413D730C7BD54AF3BC0FF016E518CC8A828C9125DCAE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B539DD3C11ACF8A4ADC5833E3690072F	55E38780D6EAD4080C0F43DE4845ACE3A6DDDA3E	E47E75FA01D0D4F8460458C4030D64311F28DDDBA3E1C3320E6B97883948E0DA
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7DE46CCB4E962BE0A878E1D938EBD0A9	C255890492AEB6B635774A29851AC03F52818C3C	5267FACC0C180D6EF8E01BA08CD9D91FC362BE07A8A18F15711E1B8AFCAE5FB3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	B7F257F0E8379402C918FDC983CD50C6	D1ACBA425404414130D39769DA8B05316C19DF13	98B0571DC3E90813965B22BE89803AFC7493FB203A971C9DD9DD96AB0AE458C2
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	F5DDD7D8F6E9EAEBE683AC0432B6D8D5	79E5C5D07B97CFE4D47B073CBF43228E07C3755B	3D612F12DA05D3ADE07F6704383936D1DFFB953289FBD51B729B11A64BD6EF45
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	9653C95F64293251FDFD2B37E8C9FD87	05F6E309D65E51268BE070967F2207C4FC7B34C0	746E495724D7C5E2F7465E07226885FBE581C9234FDACA15060953B3C8135457
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C2C0F75BF4439B04599CF24C41FF54C3	2F6ACEBA1D27D9947E5F57C2C51CF57D816F6E96	3325D266EB62263CF550DE60F15C8427B0317E3D274EEE877BF2C15DC75A3B66
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\m[1].avi	data	5BFA51F3A417B98E7443ECA90FC94703	8C015D80B8A23F780BDD215DC842B0F5551F63BD	BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[2]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	E549CF1345A5E1416907BD4A31550193	85D54A445F723EB7FD7D0CFDC609D09ED41F6D38	C7B0F6B6B233DE0C4ED6BF99473F1407C04EB47144C6BBE70C1F456C2A494639
C:\Users\user\AppData\Local\Temp\~DF22103AC392F61390.TMP	data	A3CC9AA0E1552246B7909AF375A2B06F	5D38B200B9F6017EAE02DEEF99C6A994358CAACA	022C2249D7927396EF940ED6BE4D29DC7D8235B8B4FBF3B067B8801B99B9004C
C:\Users\user\AppData\Local\Temp\~DF35CB6A5435A64CBC.TMP	data	682EEE70BF9FB50AF87A5B89A74E375F	E2AA9A91B0253DD9ABA93AC599FE8443FD044C88	918689D720A019B1C958416B6B2E3971ED3B63A3883B2D703C356878FD58E704
C:\Users\user\AppData\Local\Temp\~DF413BF6AC960E1A11.TMP	data	33D994A22E2BFC472865EDD49A6D4EFA	1B3B3CFF183F8D94327B5D6D7227DB1972A8C413	D72C674D88DA60D5417314CEC612167355E75E9A2EECECCF8EC90634810914CD
C:\Users\user\AppData\Local\Temp\~DF76703774B46533F1.TMP	data	3E034324E1A00D4E3B3D5AB44DF5336A	DEA5CE0909AC90AF0EA0963389886A0306EC4BBB	965A8CC7CF98FBD2071681FCB4AE3526106783C6E81486E4BAEE9B065FE26E68
C:\Users\user\AppData\Local\Temp\~DF8E8C67F93159E081.TMP	data	0DBD2445112DDFFE8A0B533237536FC9	A1D562A7082D25D2646B8FE464F3C6DE93A2F7EC	1E0089985099743BD093576063A6FCDB6A2D1CB424B74FCB67C77A72432EFC5B
C:\Users\user\AppData\Local\Temp\~DFA95841F9D467E700.TMP	data	C65A1B88BBE699C52530842165A11C40	967B3B908AD216DBBD0D5491559C831F490F5843	BBC4FD50BEBB5951F13084B2BB8F14E97AE95AA502F6D383A877715F03609153
C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMP	data	92D94790AB6214264AE7B21CB9B9BB9D	47D96221E552C14E5505C32CAF823EB6C517FC52	3D968333B7D9E0AD1B53BB3C01EA319E5408395B264EA5C99CF2447972DFFAC4
C:\Users\user\AppData\Local\Temp\~DFE636D75B21CCA5EF.TMP	data	2035A5D0FDA4347F59A4038E63541CD7	B76430B36A96CCFC6BC0795A1E67E0159F3DC5C6	A490EDADAEE6AA65710E04100379AFFE370E40A41C15319FB5DA6DC5BAA36A36

Analysis Report 0pz1on1.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains