Loading ...

Play interactive tourEdit tour

Analysis Report zQ32b1FVcL.dll

Overview

General Information

Sample Name:zQ32b1FVcL.dll
Analysis ID:338663
MD5:eed4174c8a96dd7b611d9f109c71e20f
SHA1:c471724d86fd269a19932280361ca52e1e294f19
SHA256:e5dc940537146c1c56b8a8f91234484c83223943c13d2fbf354f0cfdec13c258
Tags:dllGozi

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6132 cmdline: loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll' MD5: 2D39D4DFDE8F7151723794029AB8A034)
  • iexplore.exe (PID: 6388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6496 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1140 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4144 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3288 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6620 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 3984 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6772 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: loaddll32.exe.6132.1.memstrMalware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@320946", "dns": "320946", "version": "250171", "uptime": "266", "crc": "1", "id": "5533", "user": "253fc4ee08f8d2d8cdc8873aab08ddd5", "soft": "2"}
            Source: 1.2.loaddll32.exe.cc0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: zQ32b1FVcL.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00CF523C
            Source: global trafficHTTP traffic detected: GET /images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9mxw/6WnzZpVL425M/CKmLBjBrvSn/f81OVwTXuZJrQZ/ja96eHVtqviz347i3JPx7/5Q6Nnj7RuUGPOFSU/4_2BMMGnBKrRLtO/P_2FyE_2BfezXukLEe/1gUCCjKEM/NO_2BQ8BNJkX/Zge.avi HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: begoventa.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: begoventa.topConnection: Keep-Alive
            Source: msapplication.xml0.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x482e4b07,0x01d6e951</date><accdate>0x482e4b07,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x48330f3c,0x01d6e951</date><accdate>0x48330f3c,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x483571cf,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.16.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x483571cf,0x01d6e951</date><accdate>0x4837d4a4,0x01d6e951</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: babidone.top
            Source: {8CB598BC-5544-11EB-90E4-ECF4BB862DED}.dat.24.drString found in binary or memory: http://babidone.top/images/tA_2BVY2gpEVQoau7_/2F_2Fif0j/qHSdUWFKPJWkX50svEcy/JM_2Bha3oNIg2DGHFKu/s3R
            Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmpString found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQd
            Source: {B10F0CC6-5544-11EB-90E4-ECF4BB862DED}.dat.34.drString found in binary or memory: http://begoventa.top/images/FYBARzKsgpw7r/GeKZtzzc/xoDGsIA1G8WlOKnsrCv_2F5/ejqDaRsnD5/ZD4RH6oQdxqfB9
            Source: zQ32b1FVcL.dllString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: zQ32b1FVcL.dllString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: zQ32b1FVcL.dllString found in binary or memory: http://ocsp.sectigo.com0
            Source: msapplication.xml.16.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml1.16.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.16.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.16.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.16.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.16.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.16.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.16.drString found in binary or memory: http://www.youtube.com/
            Source: loaddll32.exe, 00000001.00000002.589354244.000000000050B000.00000004.00000020.sdmpString found in binary or memory: https://babidone.top/images/SD1b2IxKgGl/yu82lOMR21XtBT/D978a7t2zaVGKWj8Jhn4X/WcqZuBMBlmeeUEpv/9Sv89p
            Source: zQ32b1FVcL.dllString found in binary or memory: https://sectigo.com/CPS0D
            Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001812 NtMapViewOfSection,1_2_10001812
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001DD0 GetProcAddress,NtCreateSection,memset,1_2_10001DD0
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100022E5 NtQueryVirtualMemory,1_2_100022E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF9932 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00CF9932
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFB2C1 NtQueryVirtualMemory,1_2_00CFB2C1
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100020C41_2_100020C4
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFB09C1_2_00CFB09C
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFEC481_2_00CFEC48
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFEC411_2_00CFEC41
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF99FC1_2_00CF99FC
            Source: zQ32b1FVcL.dllStatic PE information: invalid certificate
            Source: zQ32b1FVcL.dllStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: zQ32b1FVcL.dllBinary or memory string: OriginalFilename360SkinView.exeF vs zQ32b1FVcL.dll
            Source: zQ32b1FVcL.dllStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
            Source: classification engineClassification label: mal64.troj.winDLL@13/44@4/3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF244A CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00CF244A
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD53763C3DA639732.TMPJump to behavior
            Source: zQ32b1FVcL.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\zQ32b1FVcL.dll'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1140 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3288 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3984 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: zQ32b1FVcL.dllStatic PE information: section name: .data2
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100020B3 push ecx; ret 1_2_100020C3
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002060 push ecx; ret 1_2_10002069
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFACD0 push ecx; ret 1_2_00CFACD9
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CFB08B push ecx; ret 1_2_00CFB09B
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C81830 push edx; ret 1_2_00C81934
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C644CE push edx; ret 1_2_00C644CF
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C611C0 push eax; iretd 1_2_00C611D6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C615D6 push ecx; ret 1_2_00C615D7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C63DFA push ecx; retf 1_2_00C63E01
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C65116 pushad ; ret 1_2_00C65129
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C63E99 push FFFFFFCFh; retf 1_2_00C63EC7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C63A4D push 92BB463Fh; iretd 1_2_00C63A52
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C643F7 push ss; ret 1_2_00C643F8
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00C63F02 push dword ptr [edi+64h]; iretd 1_2_00C63F0C

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY
            Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF523C RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00CF523C
            Source: loaddll32.exe, 00000001.00000002.589296510.00000000004F9000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWH
            Source: C:\Windows\System32\loaddll32.exeMemory protected: page execute read | page guardJump to behavior
            Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000001.00000002.590862827.0000000001260000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF5DC6 cpuid 1_2_00CF5DC6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100019C7 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,1_2_100019C7
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_00CF5DC6 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_00CF5DC6
            Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001799 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_10001799

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.303180413.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303205645.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302945060.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303072523.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303036485.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.302845992.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.591350377.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303010833.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.303117277.0000000003178000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6132, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery13Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 338663 Sample: zQ32b1FVcL.dll Startdate: 12/01/2021 Architecture: WINDOWS Score: 64 33 Found malware configuration 2->33 35 Yara detected  Ursnif 2->35 6 loaddll32.exe 7 2->6         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 50 2->12         started        14 2 other processes 2->14 process3 dnsIp4 29 babidone.top 6->29 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 31 192.168.2.1 unknown unknown 10->31 16 iexplore.exe