Loading ...

Play interactive tourEdit tour

Analysis Report ox9.dll

Overview

General Information

Sample Name:ox9.dll
Analysis ID:333659
MD5:68cf96f4bc91628e22e1526d9728990b
SHA1:a1e1063ec8c3667e86e1afab81cb6bbea84485b3
SHA256:790191b70550856b3e8ec108fdb82cd8d852822d6716ec865f21cfb5ad160b7c
Tags:dllgoziISFBursnif

Most interesting Screenshot:

Detection

Ursnif
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a DirectInput object (often for capturing keystrokes)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6720 cmdline: loaddll32.exe 'C:\Users\user\Desktop\ox9.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
    • rundll32.exe (PID: 7060 cmdline: rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4808 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 63 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: ox9.dllAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: ox9.dllVirustotal: Detection: 15%Perma Link
            Source: 0.2.loaddll32.exe.d80000.0.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 2.2.rundll32.exe.2e50000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: loaddll32.exe, 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, rundll32.exe, 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: loaddll32.exe, rundll32.exeString found in binary or memory: https://hospader.xyz
            Source: loaddll32.exe, 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmpString found in binary or memory: https://hospader.xyz/index.htmn

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.280355202.00000000008DB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: classification engineClassification label: mal72.troj.winDLL@6/4@0/0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA1B9382F0B9E6393.TMPJump to behavior
            Source: ox9.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM
            Source: ox9.dllVirustotal: Detection: 15%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ox9.dll'
            Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5388 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ox9.dll,TestM
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5388 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
            Source: rundll32.exe, 00000002.00000002.325159463.0000000002F83000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.250008178.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250275558.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250091296.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250163773.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296233107.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250403224.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295957836.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297126618.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250414469.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296545097.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296348413.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296753573.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296489989.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250128659.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249239279.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295524758.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297234143.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296045389.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296622384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297082506.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295889279.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249450946.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250225592.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296699564.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296426386.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297207378.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297019075.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249165583.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249815212.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296884566.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250352691.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249699894.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250196127.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.280880622.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249008055.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295819437.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249760942.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295082373.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295298623.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249961877.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249091122.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296969698.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249914112.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250330837.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249866308.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249311910.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250252374.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297189469.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250050973.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295195825.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250389471.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297165923.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.294971951.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.297221124.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295621288.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249641923.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296835384.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.296127430.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249581332.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.325725775.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249519808.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250297414.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295729131.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.250373001.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.249379729.0000000003FF0000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.295414283.0000000007A50000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7060, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6720, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection1Masquerading1Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Software Packing1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Information Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 333659 Sample: ox9.dll Startdate: 23/12/2020 Architecture: WINDOWS Score: 72 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 Yara detected  Ursnif 2->19 6 loaddll32.exe 1 2->6         started        9 iexplore.exe 2 62 2->9         started        process3 signatures4 21 Writes or reads registry keys via WMI 6->21 23 Writes registry values via WMI 6->23 11 rundll32.exe 6->11         started        13 iexplore.exe 7 9->13         started        process5

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.