Play interactive tour

Edit tour

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Sample Name:	zQ32b1FVcL.dll
Analysis ID:	338663
MD5:	eed4174c8a96dd7b611d9f109c71e20f
SHA1:	c471724d86fd269a19932280361ca52e1e294f19
SHA256:	e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
Tags:	dllGozi
Most interesting Screenshot:

Detection

Ursnif

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected Ursnif

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)

iexplore.exe (PID: 6388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6496 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1140 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3288 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 3984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6132	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: loaddll32.exe.6132.1.memstr

Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Source: 1.2.loaddll32.exe.cc0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

1_2_00CF523C

Source: global traffic	HTTP traffic detected: GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive

Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.16.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: babidone.top

Source: {8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.dr	String found in binary or memory: http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd
Source: {B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.dr	String found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: zQ32b1FVcL.dll	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: zQ32b1FVcL.dll	String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.16.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.16.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.16.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.16.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.16.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.16.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.16.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.16.dr	String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmp	String found in binary or memory: https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p
Source: zQ32b1FVcL.dll	String found in binary or memory: https://sectigo.com/CPS0D

Source: unknown

Network traffic detected: HTTP traffic on port 49754 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001812 NtMapViewOfSection,	1_2_10001812
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10001DD0 GetProcAddress,NtCreateSection,memset,	1_2_10001DD0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100022E5 NtQueryVirtualMemory,	1_2_100022E5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00CF9932
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB2C1 NtQueryVirtualMemory,	1_2_00CFB2C1

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020C4	1_2_100020C4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB09C	1_2_00CFB09C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC48	1_2_00CFEC48
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFEC41	1_2_00CFEC41
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CF99FC	1_2_00CF99FC

Source: zQ32b1FVcL.dll

Static PE information: invalid certificate

Source: zQ32b1FVcL.dll

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: zQ32b1FVcL.dll

Binary or memory string: OriginalFilename360SkinView.exeF vs zQ32b1FVcL.dll

Source: zQ32b1FVcL.dll

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED

Source: classification engine

Classification label: mal64.troj.winDLL@13/44@4/3

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

1_2_00CF244A

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMP

Jump to behavior

Source: zQ32b1FVcL.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: zQ32b1FVcL.dll

Static PE information: section name: .data2

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_100020B3 push ecx; ret	1_2_100020C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_10002060 push ecx; ret	1_2_10002069
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFACD0 push ecx; ret	1_2_00CFACD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00CFB08B push ecx; ret	1_2_00CFB09B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C81830 push edx; ret	1_2_00C81934
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C644CE push edx; ret	1_2_00C644CF
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C611C0 push eax; iretd	1_2_00C611D6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C615D6 push ecx; ret	1_2_00C615D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63DFA push ecx; retf	1_2_00C63E01
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C65116 pushad ; ret	1_2_00C65129
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63E99 push FFFFFFCFh; retf	1_2_00C63EC7
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63A4D push 92BB463Fh; iretd	1_2_00C63A52
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C643F7 push ss; ret	1_2_00C643F8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_00C63F02 push dword ptr [edi+64h]; iretd	1_2_00C63F0C

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

1_2_00CF523C

Source: loaddll32.exe, 00000001.00000002.589296510.00000000004F9000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAWH

Source: C:\Windows\System32\loaddll32.exe

Memory protected: page execute read | page guard

Jump to behavior

Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 cpuid

1_2_00CF5DC6

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_100019C7

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_00CF5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

1_2_00CF5DC6

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_10001799

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation2	Path Interception	Process Injection2	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Security Software Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery2	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery13	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph