Loading ...

Play interactive tourEdit tour

Analysis Report bTjvWUTLid.dll

Overview

General Information

Sample Name:bTjvWUTLid.dll
Analysis ID:382127
MD5:9064c426999ab9e059e1e533b34f97be
SHA1:cc20039678658d4e79aef801907f4a1bf06c418a
SHA256:7d80947ba6784330e792fae5eded56f2e7f228740e19f9af19106886e567b268
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 4740 cmdline: loaddll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 5936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 4700 cmdline: rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6076 cmdline: rundll32.exe C:\Users\user\Desktop\bTjvWUTLid.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 2296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6212 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6356 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6380 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 1328 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6652 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5024 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • iexplore.exe (PID: 6584 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.294061363.0000000005418000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.322688241.0000000003C4B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000002.468904575.0000000003A4F000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.293962458.0000000005418000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.322716434.0000000003C4B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.10000000.5.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              4.2.rundll32.exe.30b0000.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.2b20000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  1.2.loaddll32.exe.fe0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    1.2.loaddll32.exe.10000000.4.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

                      Sigma Overview

                      No Sigma rule has matched

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 3.2.rundll32.exe.2b20000.2.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: bTjvWUTLid.dllVirustotal: Detection: 50%Perma Link
                      Machine Learning detection for sampleShow sources
                      Source: bTjvWUTLid.dllJoe Sandbox ML: detected
                      Source: 4.2.rundll32.exe.10000000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: 1.2.loaddll32.exe.30b0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen3
                      Source: 1.2.loaddll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
                      Source: bTjvWUTLid.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_030912D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047F12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_047F12D4
                      Source: Joe Sandbox ViewIP Address: 185.243.114.196 185.243.114.196
                      Source: Joe Sandbox ViewIP Address: 185.186.244.95 185.186.244.95
                      Source: Joe Sandbox ViewASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
                      Source: Joe Sandbox ViewASN Name: WEBZILLANL WEBZILLANL
                      Source: global trafficTCP traffic: 192.168.2.3:49761 -> 185.243.114.196:80
                      Source: global trafficTCP traffic: 192.168.2.3:49769 -> 185.186.244.95:80
                      Source: unknownDNS traffic detected: queries for: login.microsoftonline.com
                      Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.13.drString found in binary or memory: http://feross.org
                      Source: rundll32.exe, 00000004.00000002.468417871.00000000030DA000.00000004.00000020.sdmpString found in binary or memory: http://under17.com
                      Source: ~DF192FA70C64A9B1B3.TMP.24.dr, {9BF67423-9690-11EB-90E4-ECF4BB862DED}.dat.24.drString found in binary or memory: http://under17.com/joomla/BcGu0m62F/jipvWjxPGSvhDYPo_2Bk/bMq_2FTLMb8SDAjBl90/qMl83SSfim_2BNELhiIF43/
                      Source: ~DF058AFC2113F0053A.TMP.24.dr, {9BF67421-9690-11EB-90E4-ECF4BB862DED}.dat.24.drString found in binary or memory: http://under17.com/joomla/G2ZDC8nn3wolJdH4SM/R_2FZIZic/jRRSf9Lfj1TfaLV_2FrF/Xa4iMZXZ_2FvgVSu1Or/GmOK
                      Source: {7FB5F6EF-9690-11EB-90E4-ECF4BB862DED}.dat.12.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000002.466547139.0000000000FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.239107986.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.468243030.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2b20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.fe0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.294061363.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322688241.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.468904575.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293962458.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322716434.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322780684.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322817865.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293989967.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294041063.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.402234739.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294103973.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294092748.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322646205.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294077737.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322756928.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.469869205.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294019471.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4700, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4740, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000002.466547139.0000000000FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.239107986.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.468243030.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2b20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.fe0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.294061363.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322688241.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.468904575.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293962458.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322716434.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322780684.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322817865.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293989967.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294041063.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.402234739.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294103973.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294092748.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322646205.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294077737.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322756928.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.469869205.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294019471.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4700, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4740, type: MEMORY

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001D9F NtMapViewOfSection,1_2_10001D9F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001EB5 GetProcAddress,NtCreateSection,memset,1_2_10001EB5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10002375 NtQueryVirtualMemory,1_2_10002375
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030983B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_030983B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0309B341 NtQueryVirtualMemory,1_2_0309B341
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047F83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_047F83B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047FB341 NtQueryVirtualMemory,4_2_047FB341
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F1_2_030B348F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B10001_2_030B1000
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B19181_2_030B1918
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B33141_2_030B3314
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B64241_2_030B6424
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B554B1_2_030B554B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B48591_2_030B4859
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B596E1_2_030B596E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B237B1_2_030B237B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B247B1_2_030B247B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B5C761_2_030B5C76
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B13741_2_030B1374
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B3A851_2_030B3A85
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1B951_2_030B1B95
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B3FA81_2_030B3FA8
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B3BDB1_2_030B3BDB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B28EB1_2_030B28EB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B20EE1_2_030B20EE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B52EC1_2_030B52EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B5AF61_2_030B5AF6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_100021541_2_10002154
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0309B11C1_2_0309B11C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030997F21_2_030997F2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030940941_2_03094094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E348F4_2_048E348F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E3A854_2_048E3A85
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E1B954_2_048E1B95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E3FA84_2_048E3FA8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E3BDB4_2_048E3BDB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E20EE4_2_048E20EE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E52EC4_2_048E52EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E28EB4_2_048E28EB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E5AF64_2_048E5AF6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E10004_2_048E1000
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E19184_2_048E1918
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E33144_2_048E3314
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E64244_2_048E6424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E554B4_2_048E554B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E48594_2_048E4859
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E596E4_2_048E596E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E237B4_2_048E237B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E247B4_2_048E247B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E5C764_2_048E5C76
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E13744_2_048E1374
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047F40944_2_047F4094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047FB11C4_2_047FB11C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047F97F24_2_047F97F2
                      Source: bTjvWUTLid.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: classification engineClassification label: mal84.troj.winDLL@20/69@9/2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_0309757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_0309757F
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFACC10D909317CF6D.TMPJump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bTjvWUTLid.dll,StartService
                      Source: bTjvWUTLid.dllVirustotal: Detection: 50%
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bTjvWUTLid.dll,StartService
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:17410 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:82952 /prefetch:2
                      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17410 /prefetch:2
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17414 /prefetch:2
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\bTjvWUTLid.dll,StartServiceJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2296 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6356 CREDAT:82952 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17410 /prefetch:2Jump to behavior
                      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6652 CREDAT:17414 /prefetch:2Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: bTjvWUTLid.dllStatic PE information: section name: .code
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx1_2_030B34A1
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx1_2_030B3632
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F push 00000000h; mov dword ptr [esp], edx1_2_030B37FE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F push edx; mov dword ptr [esp], 00000002h1_2_030B384A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B348F push 00000000h; mov dword ptr [esp], ecx1_2_030B38D7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6194 push eax; mov dword ptr [esp], 00000004h1_2_030B61AF
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6194 push esi; mov dword ptr [esp], 00001000h1_2_030B61B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6194 push 00000000h; mov dword ptr [esp], ebp1_2_030B6267
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1000 push 00000000h; mov dword ptr [esp], ebp1_2_030B110A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1000 push 00000000h; mov dword ptr [esp], ebx1_2_030B1146
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1000 push 00000000h; mov dword ptr [esp], ebp1_2_030B118E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1000 push ebp; mov dword ptr [esp], 00000002h1_2_030B1270
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1000 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx1_2_030B12E7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push dword ptr [ebp-24h]; mov dword ptr [esp], ebx1_2_030B1927
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push 00000000h; mov dword ptr [esp], ecx1_2_030B1B10
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push 00000000h; mov dword ptr [esp], esi1_2_030B1CD4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push 00000000h; mov dword ptr [esp], esi1_2_030B1D37
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push dword ptr [ebp-20h]; mov dword ptr [esp], esi1_2_030B1DC0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push 00000000h; mov dword ptr [esp], ebp1_2_030B1E4C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B1918 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx1_2_030B1F23
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push dword ptr [ebp-08h]; mov dword ptr [esp], esp1_2_030B644D
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push 00000000h; mov dword ptr [esp], edi1_2_030B64EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push 00000000h; mov dword ptr [esp], ecx1_2_030B657A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push 00000000h; mov dword ptr [esp], ebp1_2_030B65D2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_030B66E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6424 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx1_2_030B6736
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B463F push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax1_2_030B4648
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B463F push ebp; mov dword ptr [esp], 00000003h1_2_030B46A2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B463F push ebx; mov dword ptr [esp], 00F00000h1_2_030B46AB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6633 push dword ptr [ebp-08h]; mov dword ptr [esp], eax1_2_030B66E2
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B6633 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx1_2_030B6736

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000001.00000002.466547139.0000000000FE0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.239107986.0000000002B20000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.468243030.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.30b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.2b20000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.fe0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000004.00000003.294061363.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322688241.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.468904575.0000000003A4F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293962458.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322716434.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322780684.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322817865.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.293989967.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294041063.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.402234739.0000000003B4D000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294103973.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294092748.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322646205.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294077737.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000003.322756928.0000000003C4B000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.469869205.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.294019471.0000000005418000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4700, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 4740, type: MEMORY
                      Source: C:\Windows\System32\loaddll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_030912D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_047F12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_047F12D4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_10001745 LoadLibraryA,GetProcAddress,1_2_10001745
                      Source: C:\Windows\System32\loaddll32.exeCode function: 1_2_030B2DF5 or edx, dword ptr fs:[00000030h]1_2_030B2DF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_048E2DF5 or edx, dword ptr fs:[00000030h]4_2_048E2DF5
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\bTjvWUTLid.dll',#1Jump to behavior
                      Source: loaddll32.exe, 00000001.00000002.467882203.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.468674818.00000000033D0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000001.00000002.467882203.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.468674818.00000000033D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000001.00000002.467882203.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.468674818.00000000033D0000.00000002.00000001.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000001.00000002.467882203.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.468674818.00000000033D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock