Play interactive tour

Edit tour

Analysis Report KcFVz0y2si.dll

Overview

General Information

Sample Name:	KcFVz0y2si.dll
Analysis ID:	382183
MD5:	a1e2a0759924852c160b109f73ffd091
SHA1:	7ebf1673c6661cfddfa4891c6e455111ce331333
SHA256:	657455d2129ca06ee85cb534186d7d80b648e10f7f9e50f43cc5f56fbc7d154c
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes or reads registry keys via WMI

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

loaddll32.exe (PID: 4200 cmdline: loaddll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 2936 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 408 cmdline: rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1852 cmdline: rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5740 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 1260 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 2212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4592 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 1076 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 2440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: loaddll32.exe PID: 4200	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 408	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author
3.2.rundll32.exe.10000000.5.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
3.2.rundll32.exe.1d0000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.1180000.0.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
2.2.rundll32.exe.11d0000.1.raw.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security
0.2.loaddll32.exe.10000000.4.unpack	JoeSecurity_Ursnif_1	Yara detected Ursnif	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0.2.loaddll32.exe.37794a0.3.raw.unpack

Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Multi AV Scanner detection for submitted file

Show sources

Source: KcFVz0y2si.dll	Virustotal: Detection: 52%			Perma Link
Source: KcFVz0y2si.dll	ReversingLabs: Detection: 52%

Machine Learning detection for sample

Show sources

Source: KcFVz0y2si.dll

Joe Sandbox ML: detected

Source: 3.2.rundll32.exe.a60000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen3
Source: 0.2.loaddll32.exe.10000000.4.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 3.2.rundll32.exe.10000000.5.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: KcFVz0y2si.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02FA12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,

0_2_02FA12D4

Source: Joe Sandbox View

IP Address: 185.243.114.196 185.243.114.196

Source: Joe Sandbox View

ASN Name: ACCELERATED-ITDE ACCELERATED-ITDE

Source: global traffic

TCP traffic: 192.168.2.4:49739 -> 185.243.114.196:80

Source: unknown

DNS traffic detected: queries for: login.microsoftonline.com

Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.7.dr	String found in binary or memory: http://feross.org
Source: loaddll32.exe, 00000000.00000002.913202571.00000000013DF000.00000004.00000020.sdmp	String found in binary or memory: http://under17.com
Source: loaddll32.exe, 00000000.00000002.913123294.000000000135B000.00000004.00000020.sdmp, ~DF3D1717B6AEE1212D.TMP.8.dr, {D2E72914-964E-11EB-90EB-ECF4BBEA1588}.dat.8.dr	String found in binary or memory: http://under17.com/joomla/RnasiUAhJh/oSxo5X5EIKvwU8Ag1/uMFl7HC_2Fjl/9ltc89lzleE/s0K70MqQow8SbX/RmoUq
Source: ~DFD254BC66F83ED0AF.TMP.11.dr, {E0E69389-964E-11EB-90EB-ECF4BBEA1588}.dat.11.dr	String found in binary or memory: http://under17.com/joomla/lIbeNmys4TdjSx_2FdVt/zKr90P9Hk_2BiF_2Ff8/DQfv4eLCQELbftpFrLH4_2/BewGR13P5J
Source: {B87D9162-964E-11EB-90EB-ECF4BBEA1588}.dat.6.dr, ~DFB4B54F0F959EF8BA.TMP.6.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/globalisierung-ohne-die-weltwirtschaft-w
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronavirus/die-neusten-entwicklungen-coronavirus-weltweit-ab-
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/zweiter-weltkrieg-in-griechenland-die-zweite-sch
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/konflikt-mit-russland-borrell-sichert-ukraine-unterst
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/wie-die-allianz-draghi-macron-europa-ver
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/schweiz/
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/querdenken-in-stuttgart-es-geht-um-selbsterm
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/admirale-begehren-auf-gegen-das-verr
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/bei-gebet-zum-ostermontag-papst-franziskus-erinnert-an-menschen
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eine-stadt-feiert-ihre-vergessenen-heldinnen/ar-BB1fkih4?ocid=B
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/eine-woche-lockdown-in-bangladesch-h
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/gaga-regel-trotz-fallzahl-sinkflug-warum-steht-israel-immer-noc
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/grossbritannien-boris-johnson-will-am-12-april-erstes-bier-im-b
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/inzidenz-vor-allem-in-istanbul-hoch-erneut-mehr-als-40-000-coro
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/miss-burma-stellt-die-junta-an-den-pranger/ar-BB1fk4ie?ocid=Bin
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/nawalny-gesundheitszustand-im-straflager-weiter-verschlechtert/
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/pappa-rechtfertigt-polizeieins
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/russland-putin-erlaubt-sich-selbst-das-weiterregieren-bis-2036/
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/sind-die-500-wegweisungen-rechtlich-vertretbar/ar-BB1fkglv?ocid
Source: msnpopularnow[1].json.7.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/vjosa-osmani-neue-staatspr

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.913123294.000000000135B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001D9F NtMapViewOfSection,	0_2_10001D9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001EB5 GetProcAddress,NtCreateSection,memset,	0_2_10001EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002375 NtQueryVirtualMemory,	0_2_10002375
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02FA83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	0_2_02FA83B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02FAB341 NtQueryVirtualMemory,	0_2_02FAB341

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F	0_2_02EF348F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE	0_2_02EF20EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF52EC	0_2_02EF52EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF28EB	0_2_02EF28EB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF5AF6	0_2_02EF5AF6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF3BDB	0_2_02EF3BDB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF3FA8	0_2_02EF3FA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF3A85	0_2_02EF3A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1B95	0_2_02EF1B95
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF596E	0_2_02EF596E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF237B	0_2_02EF237B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF247B	0_2_02EF247B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF5C76	0_2_02EF5C76
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1374	0_2_02EF1374
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF554B	0_2_02EF554B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF4859	0_2_02EF4859
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6424	0_2_02EF6424
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1000	0_2_02EF1000
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1918	0_2_02EF1918
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF3314	0_2_02EF3314
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002154	0_2_10002154
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02FA4094	0_2_02FA4094
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02FA97F2	0_2_02FA97F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02FAB11C	0_2_02FAB11C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D348F	2_2_049D348F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D1B95	2_2_049D1B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D3A85	2_2_049D3A85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D3FA8	2_2_049D3FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D3BDB	2_2_049D3BDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D5AF6	2_2_049D5AF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D52EC	2_2_049D52EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D20EE	2_2_049D20EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D28EB	2_2_049D28EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D1918	2_2_049D1918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D3314	2_2_049D3314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D1000	2_2_049D1000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D6424	2_2_049D6424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D4859	2_2_049D4859
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D554B	2_2_049D554B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D237B	2_2_049D237B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D247B	2_2_049D247B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D1374	2_2_049D1374
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D5C76	2_2_049D5C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D596E	2_2_049D596E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6348F	3_2_00A6348F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A63FA8	3_2_00A63FA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A63A85	3_2_00A63A85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A61B95	3_2_00A61B95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A620EE	3_2_00A620EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A652EC	3_2_00A652EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A628EB	3_2_00A628EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A65AF6	3_2_00A65AF6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A63BDB	3_2_00A63BDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A66424	3_2_00A66424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A61000	3_2_00A61000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A63314	3_2_00A63314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A61918	3_2_00A61918
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6596E	3_2_00A6596E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A65C76	3_2_00A65C76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A61374	3_2_00A61374
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6237B	3_2_00A6237B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6247B	3_2_00A6247B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A6554B	3_2_00A6554B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A64859	3_2_00A64859

Source: KcFVz0y2si.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal84.troj.winDLL@18/115@5/1

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_02FA757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

0_2_02FA757F

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B87D9160-964E-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF3CCEFA9C6D079283.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService

Source: KcFVz0y2si.dll	Virustotal: Detection: 52%
Source: KcFVz0y2si.dll	ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\KcFVz0y2si.dll,StartService	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5740 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2212 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1076 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001745 LoadLibraryA,GetProcAddress,

0_2_10001745

Source: KcFVz0y2si.dll

Static PE information: section name: .code

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx	0_2_02EF34A1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx	0_2_02EF3632
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F push 00000000h; mov dword ptr [esp], edx	0_2_02EF37FE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F push edx; mov dword ptr [esp], 00000002h	0_2_02EF384A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF348F push 00000000h; mov dword ptr [esp], ecx	0_2_02EF38D7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6194 push eax; mov dword ptr [esp], 00000004h	0_2_02EF61AF
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6194 push esi; mov dword ptr [esp], 00001000h	0_2_02EF61B7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6194 push 00000000h; mov dword ptr [esp], ebp	0_2_02EF6267
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], esi	0_2_02EF210B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi	0_2_02EF2177
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx	0_2_02EF222E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], eax	0_2_02EF2498
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], edi	0_2_02EF2502
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push 00000000h; mov dword ptr [esp], ecx	0_2_02EF2524
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx	0_2_02EF269D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi	0_2_02EF2737
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF20EE push edi; mov dword ptr [esp], 00000004h	0_2_02EF2759
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF5AF6 push esi; mov dword ptr [esp], 0000F000h	0_2_02EF5C11
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF4DF5 push 00000000h; mov dword ptr [esp], edi	0_2_02EF4EA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF2DF5 push dword ptr [ebp-04h]; mov dword ptr [esp], edi	0_2_02EF2E1C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF2DF5 push 00000000h; mov dword ptr [esp], edx	0_2_02EF2EAD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF2DF5 push 00000000h; mov dword ptr [esp], ebp	0_2_02EF2EC1
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push esi; mov dword ptr [esp], FFFF0000h	0_2_02EF60A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push ecx; mov dword ptr [esp], 00005267h	0_2_02EF60C0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push 00000000h; mov dword ptr [esp], edi	0_2_02EF60D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 00001000h	0_2_02EF60F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 000FFFFFh	0_2_02EF615F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF6099 push ebx; mov dword ptr [esp], 00406194h	0_2_02EF6175
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1B95 push dword ptr [ebp-1Ch]; mov dword ptr [esp], esp	0_2_02EF1BF2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1B95 push 00000000h; mov dword ptr [esp], esi	0_2_02EF1CD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF1B95 push 00000000h; mov dword ptr [esp], esi	0_2_02EF1D37

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000000.00000002.912950369.0000000001180000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.912982119.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.678640834.00000000011D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.1180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.11d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.800812479.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800782996.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798289692.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800751690.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798356915.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798241587.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798380410.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798275065.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800877488.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800857311.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800835964.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.798260213.0000000003ACB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.877675545.00000000039CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800898920.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.800911923.0000000004D38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 4200, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 408, type: MEMORY

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

0_2_02FA12D4

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10001745 LoadLibraryA,GetProcAddress,

0_2_10001745

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_02EF2DF5 or edx, dword ptr fs:[00000030h]	0_2_02EF2DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_049D2DF5 or edx, dword ptr fs:[00000030h]	2_2_049D2DF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00A62DF5 or edx, dword ptr fs:[00000030h]	3_2_00A62DF5

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\KcFVz0y2si.dll',#1

Jump to behavior

Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.913218245.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.913863321.0000000003340000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report KcFVz0y2si.dll

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection: