Analysis Report ox9.dll

Overview

General Information

Sample Name: ox9.dll
Analysis ID: 333659
MD5: 68cf96f4bc91628e22e1526d9728990b
SHA1: a1e1063ec8c3667e86e1afab81cb6bbea84485b3
SHA256: 790191b70550856b3e8ec108fdb82cd8d852822d6716ec865f21cfb5ad160b7c
Tags: dllgoziISFBursnif

Most interesting Screenshot:

Detection

Ursnif
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a DirectInput object (often for capturing keystrokes)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: ox9.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: ox9.dll Virustotal: Detection: 15% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.d80000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.2.rundll32.exe.2e50000.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: loaddll32.exe, 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, rundll32.exe, 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: loaddll32.exe, rundll32.exe String found in binary or memory: https://hospader.xyz
Source: loaddll32.exe, 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp String found in binary or memory: https://hospader.xyz/index.htmn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.280355202.00000000008DB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: classification engine Classification label: mal72.troj.winDLL@6/4@0/0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFA1B9382F0B9E6393.TMP Jump to behavior
Source: ox9.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM
Source: ox9.dll Virustotal: Detection: 15%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ox9.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5388 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5388 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000002.00000002.325159463.0000000002F83000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333659 Sample: ox9.dll Startdate: 23/12/2020 Architecture: WINDOWS Score: 72 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 62 2->9         started        process3 signatures4 21 Writes or reads registry keys via WMI 6->21 23 Writes registry values via WMI 6->23 11 rundll32.exe 6->11         started        13 iexplore.exe 7 9->13         started        process5
No contacted IP infos