Analysis Report ioir.png.dll

Overview

General Information

Sample Name: ioir.png.dll
Analysis ID: 349160
MD5: d31c0491f522d6b9f2102109bd2420af
SHA1: dc1cccf0e43ec5a68326ae4faf1a8cbc5ac00708
SHA256: f7c79c0c3feb7c0032424f5f6a9bcdf78d1815ee53f807cc192c2c1f8f21270f
Tags: isfbv3ursnif

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to detect sleep reduction / modifications
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: ioir.png.dll Virustotal: Detection: 42% Perma Link
Source: ioir.png.dll ReversingLabs: Detection: 41%
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.22d0174.3.unpack Avira: Label: TR/Kazy.4159236
Source: 1.2.rundll32.exe.3540000.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.rundll32.exe.3530174.4.unpack Avira: Label: TR/Kazy.4159236
Source: 0.2.loaddll32.exe.2430000.4.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: ioir.png.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49777 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00404FF4

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: msapplication.xml0.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x19bc77f4,0x01d6fbc9</date><accdate>0x19bc77f4,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x19c13ca7,0x01d6fbc9</date><accdate>0x19c13ca7,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x19c39f10,0x01d6fbc9</date><accdate>0x19c39f10,0x01d6fbc9</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: topitophug.xyz
Source: loaddll32.exe, 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, rundll32.exe, 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: msapplication.xml.8.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.8.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.8.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.8.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.8.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.8.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.8.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.8.dr String found in binary or memory: http://www.youtube.com/
Source: loaddll32.exe String found in binary or memory: https://topitophug.xyz
Source: loaddll32.exe, 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, ~DFF728301785477207.TMP.8.dr String found in binary or memory: https://topitophug.xyz/index.htm
Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.dr String found in binary or memory: https://topitophug.xyz/index.htm/index.htm
Source: {FC8A972A-67BB-11EB-90EB-ECF4BBEA1588}.dat.8.dr String found in binary or memory: https://topitophug.xyz/index.htmRoot
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 45.133.216.103:443 -> 192.168.2.4:49777 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0040682E OpenClipboard, 1_2_0040682E
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00420958 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader, 1_2_00420958
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00420F9C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 1_2_00420F9C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00452C8C GetKeyboardState, 1_2_00452C8C
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\loaddll32.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00455C08 NtdllDefWindowProc_A,GetCapture, 1_2_00455C08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00442040 NtdllDefWindowProc_A, 1_2_00442040
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_004427E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00442898
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00429150 NtdllDefWindowProc_A, 1_2_00429150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044B7E0 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 1_2_0044B7E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_03552415 NtQueryVirtualMemory, 1_2_03552415
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035A1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle, 1_2_035A1757
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035A4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError, 1_2_035A4DF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035A6101 RtlNtStatusToDosError,NtClose, 1_2_035A6101
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035AAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 1_2_035AAC53
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0043C538 1_2_0043C538
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044B7E0 1_2_0044B7E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035521F4 1_2_035521F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_03531768 1_2_03531768
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_03531D74 1_2_03531D74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035AB8DC 1_2_035AB8DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035AC490 1_2_035AC490
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 004060A8 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00403F1C appears 71 times
One or more processes crash
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744
PE file contains strange resources
Source: ioir.png.dll Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Uses 32bit PE files
Source: ioir.png.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
Source: classification engine Classification label: mal68.troj.evad.winDLL@9/19@2/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041DCB4 GetLastError,FormatMessageA, 1_2_0041DCB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00408632 GetDiskFreeSpaceA, 1_2_00408632
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00413784 FindResourceA, 1_2_00413784
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FC8A9728-67BB-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3848
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERF3C4.tmp Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Windows\System32\loaddll32.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1
Source: ioir.png.dll Virustotal: Detection: 42%
Source: ioir.png.dll ReversingLabs: Detection: 41%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\ioir.png.dll'
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3848 -s 744
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\ioir.png.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6588 CREDAT:17418 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe File opened: C:\Windows\SysWOW64\RICHED32.DLL Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: powrprof.pdbF source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000004.00000003.652704445.0000000004CEB000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: riched20.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb@ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb. source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: dnsapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb< source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: usp10.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb( source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: version.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: riched32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb$ source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: comctl32v582.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000004.00000003.657234478.0000000005290000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: version.pdb2 source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: msls31.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000004.00000003.657226715.0000000005181000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 00000004.00000003.657239297.0000000005296000.00000004.00000040.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00426E24
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0045D200 push 0045D28Dh; ret 1_2_0045D285
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00444114 push 0044416Eh; ret 1_2_00444166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0044C294 push 0044C2FFh; ret 1_2_0044C2F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0042435C push 00424388h; ret 1_2_00424380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004243AC push 004243D8h; ret 1_2_004243D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00424664 push 00424690h; ret 1_2_00424688
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00410696 push 0041070Eh; ret 1_2_00410706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00410698 push 0041070Eh; ret 1_2_00410706
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0042675C push 00426794h; ret 1_2_0042678C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00424760 push 0042478Ch; ret 1_2_00424784
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00410710 push 004107B8h; ret 1_2_004107B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00424798 push 004247C4h; ret 1_2_004247BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041A7B2 push 0041A85Fh; ret 1_2_0041A857
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041A7B4 push 0041A85Fh; ret 1_2_0041A857
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004107BA push 00410900h; ret 1_2_004108F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041A864 push 0041A8F4h; ret 1_2_0041A8EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004108D4 push 00410900h; ret 1_2_004108F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041A8F6 push 0041ABFCh; ret 1_2_0041ABF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00430954 push 004309CAh; ret 1_2_004309C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00412A4C push ecx; mov dword ptr [esp], edx 1_2_00412A51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00406A60 push ecx; mov dword ptr [esp], eax 1_2_00406A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00452A2C push ecx; mov dword ptr [esp], ecx 1_2_00452A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00426A80 push 00426AACh; ret 1_2_00426AA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041ABD0 push 0041ABFCh; ret 1_2_0041ABF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0040CBD4 push ecx; mov dword ptr [esp], edx 1_2_0040CBD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00436BB0 push 00436C25h; ret 1_2_00436C1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00406C44 push 00406C70h; ret 1_2_00406C68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00412C74 push ecx; mov dword ptr [esp], edx 1_2_00412C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00406C7C push 00406CA8h; ret 1_2_00406CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00436C28 push 00436C81h; ret 1_2_00436C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00426C2C push 00426C58h; ret 1_2_00426C50

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004420C8 PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 1_2_004420C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00458504 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 1_2_00458504
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_004427E8 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 1_2_004427E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00442898 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 1_2_00442898
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0043F0F0 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 1_2_0043F0F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0045732C IsIconic,GetCapture, 1_2_0045732C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00457BE0 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 1_2_00457BE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00423E14 IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00423E14
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00426E24
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00436AB0 1_2_00436AB0
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 1_2_00441638
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00436AB0 1_2_00436AB0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00404FF4 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 1_2_00404FF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0041E244 GetSystemInfo, 1_2_0041E244
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000004.00000002.668258285.0000000004CF0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW)
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000004.00000002.668278273.0000000004EF0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035A193B StrTrimA,lstrlen,wsprintfA,LdrInitializeThunk,LdrInitializeThunk, 1_2_035A193B
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00426E24 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00426E24
Source: C:\Windows\System32\loaddll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.1014171378.0000000000E40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_035A212D cpuid 1_2_035A212D
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_004051AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 1_2_0040C420
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_0040AE34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_0040AE80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 1_2_004052B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_00405AA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 1_2_00405AA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage, 1_2_035A340B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_00409934 GetLocalTime, 1_2_00409934
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 1_2_0045D200 GetVersion, 1_2_0045D200

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.647244035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648524337.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648667636.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648893530.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647868794.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648751901.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648917284.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648176949.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648860307.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647426858.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647623145.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649011597.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647521163.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.649003327.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647703250.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1020935253.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.678292603.0000000008010000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648956787.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648265573.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648974202.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647795143.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647330409.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.647948135.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648938200.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648374581.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648323443.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648615088.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648037894.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648828511.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648478035.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648792520.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648104820.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648425491.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.648990980.0000000005360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3848, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6480, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349160 Sample: ioir.png.dll Startdate: 05/02/2021 Architecture: WINDOWS Score: 68 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected  Ursnif 2->26 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 76 2->10         started        process3 signatures4 28 Writes or reads registry keys via WMI 7->28 30 Writes registry values via WMI 7->30 12 rundll32.exe 7->12         started        15 iexplore.exe 26 10->15         started        18 iexplore.exe 22 10->18         started        process5 dnsIp6 32 Contains functionality to detect sleep reduction / modifications 12->32 20 WerFault.exe 23 9 12->20         started        22 topitophug.xyz 45.133.216.103, 443, 49744, 49745 CLOUDSOLUTIONSRU Russian Federation 15->22 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.133.216.103
 unknown Russian Federation
202933 CLOUDSOLUTIONSRU false

Contacted Domains

Name IP Active
topitophug.xyz 45.133.216.103 true