Loading ...

Play interactive tourEdit tour

Analysis Report 0pz1on1.dll

Overview

General Information

Sample Name:0pz1on1.dll
Analysis ID:320364
MD5:3bd94cd9d5af80967956a0c2789bf180
SHA1:7d0b946bfa133ec9c10cb1cca0007139597b2011
SHA256:e9b8536f66aa5222f1979fea40b25b83f2acb487a0ab61a76378a2128efc0420
Tags:dllgoziisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to query CPU information (cpuid)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 3924 cmdline: loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll' MD5: 62442CB29236B024E992A556DA72B97A)
  • iexplore.exe (PID: 4852 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1744 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6496 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3120 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4464 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5028 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2212 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: loaddll32.exe.3924.0.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "217ceL|", "crc": "1", "id": "7239", "user": "253fc4ee08f8d2d8cdc8873a4f316e0b", "soft": "3"}
            Multi AV Scanner detection for submitted fileShow sources
            Source: 0pz1on1.dllReversingLabs: Detection: 20%
            Machine Learning detection for sampleShow sources
            Source: 0pz1on1.dllJoe Sandbox ML: detected
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_011B523B

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: global trafficHTTP traffic detected: GET /images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxfYNsV0RjT7n0rzu_2/FVrjLW0Lx1_2FNeyWne9gk/0rFmuW9zFu5BV/c7RWa33N/1NgLVJFWI2qb9NTj9vbwwI_/2F2HNzSZxp/DIXVF0dEz33_2BLha/h6wWaOyw/2.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: billinglines.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /images/EuNoqB8rz283d_2F7/B2kFZAZsTPTP/AjxLGzItOQW/LGcQAVabLTNFrn/ibQqX2QKAtaqH2QpDHFdT/6FHFM3jb_2BEx6vj/K0T2UpF9ftSsAhC/WBke3cKFZQASphRr9z/wDAeGeXXF/ciy8TXpgvP0d/PQ9l29nE/m.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ocsp.sca1b.amazontrust.comConnection: Keep-Alive
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x48f1af55,0x01d6be9c</date><accdate>0x48f1af55,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48f41161,0x01d6be9c</date><accdate>0x48f41161,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x48f673cb,0x01d6be9c</date><accdate>0x48f673cb,0x01d6be9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: billinglines.com
            Source: {8D389D40-2A8F-11EB-90E4-ECF4BB862DED}.dat.21.drString found in binary or memory: http://billinglines.com/images/uwsvkUIzKxnVNIO/1hHERgIZGzO_2Bap_2/F07KJc5Re/tt4zrw9iXOc9md6Mf75y/kxf
            Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.475496592.00000000013FB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01181E57 GetProcAddress,NtCreateSection,memset,0_2_01181E57
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011811EA NtMapViewOfSection,0_2_011811EA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011823F5 NtQueryVirtualMemory,0_2_011823F5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B6066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_011B6066
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BB10D NtQueryVirtualMemory,0_2_011BB10D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011821D40_2_011821D4
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B15CD0_2_011B15CD
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAEEC0_2_011BAEEC
            Source: 0pz1on1.dllBinary or memory string: OriginalFilenameMcx2Prov.exej% vs 0pz1on1.dll
            Source: classification engineClassification label: mal80.bank.troj.winDLL@13/44@2/2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B5946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_011B5946
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFDB1C02956F83098A.TMPJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 0pz1on1.dllReversingLabs: Detection: 20%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0pz1on1.dll'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4852 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4464 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5028 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 0pz1on1.dllStatic PE information: section name: .rdata8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011821C3 push ecx; ret 0_2_011821D3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01182170 push ecx; ret 0_2_01182179
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000FE1F push edi; retf 0_2_1000FE34
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000F45E push ebx; ret 0_2_1000F460
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000D70A push ecx; ret 0_2_1000D70B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10011316 push edx; ret 0_2_10011317
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10010963 push 6A2E45E0h; ret 0_2_10010968
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1001056C push ds; retf 0_2_1001056D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_1000D3C9 push eax; ret 0_2_1000D3CC
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100115DE push eax; retf 0_2_100115DF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_100061F0 push ecx; ret 0_2_10006420
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAB20 push ecx; ret 0_2_011BAB29
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011BAEDB push ecx; ret 0_2_011BAEEB

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_10001070 EntryPoint,CloseMetaFile,GetWindowTextLengthA,EndDoc,AbortDoc,AbortDoc,GetMenuCheckMarkDimensions,CloseEnhMetaFile,CreateMenu,IsCharAlphaNumericW,GetLastActivePopup,IsIconic,CloseClipboard,CloseFigure,GetMapMode,CharLowerW,DestroyCursor,GetKeyboardLayout,IsWindowVisible,VkKeyScanA,CreatePopupMenu,CancelDC,GetSysColor,CharUpperW,AbortPath,AbortPath,GetKeyState,GetFocus,GetColorSpace,ReleaseCapture,GetDesktopWindow,InSendMessage,UpdateColors,IsGUIThread,CreateSolidBrush,CreateSolidBrush,WindowFromDC,GetLastActivePopup,IsCharUpperW,DestroyMenu,CreateMetaFileA,GetTopWindow,DestroyCursor,GetMessageTime,GetTextCharset,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCursorFromFileW,LoadCur0_2_10001070
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exe TID: 5420Thread sleep count: 58 > 30Jump to behavior
            Source: C:\Windows\System32\loaddll32.exe TID: 5840Thread sleep count: 49 > 30Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_011B523B
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.475741198.0000000001980000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B65CE cpuid 0_2_011B65CE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01181006 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_01181006
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011B65CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_011B65CE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011810D8 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_011810D8

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.265225077.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265393506.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265382479.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265276332.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265331854.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265300438.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265348911.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.265365047.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.476148188.0000000003A78000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 3924, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection2Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 320364 Sample: 0pz1on1.dll Startdate: 19/11/2020 Architecture: WINDOWS Score: 80 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected  Ursnif 2->32 34 Machine Learning detection for sample 2->34 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 1 50 2->9         started        11 iexplore.exe 1 50 2->11         started        13 2 other processes 2->13 process3 signatures4 36 Writes or reads registry keys via WMI 6->36 38 Writes registry values via WMI 6->38 40 Creates a COM Internet Explorer object 6->40 15 iexplore.exe 31 9->15         started        18 iexplore.exe 25 11->18         started        20 iexplore.exe