Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.18304

Overview

General Information

Sample Name: SecuriteInfo.com.Mal.EncPk-APW.3323.18304 (renamed file extension from 18304 to dll)
Analysis ID: 382278
MD5: 937e2c551368757c5e3c3598c41ea7d9
SHA1: 599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256: cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Machine Learning detection for sample
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 0_2_01205F16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205A25 0_2_01205A25
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0120150C 0_2_0120150C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01203A14 0_2_01203A14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01201B1E 0_2_01201B1E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205262 0_2_01205262
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01202566 0_2_01202566
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01201967 0_2_01201967
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01202A69 0_2_01202A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205378 0_2_01205378
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01203FAB 0_2_01203FAB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01202FAF 0_2_01202FAF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012092B2 0_2_012092B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012031B3 0_2_012031B3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012088BA 0_2_012088BA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012013C5 0_2_012013C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01201CD0 0_2_01201CD0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012027D4 0_2_012027D4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_012043D8 0_2_012043D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A5F16 2_2_007A5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A5378 2_2_007A5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A2A69 2_2_007A2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A5262 2_2_007A5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A2566 2_2_007A2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A1967 2_2_007A1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A5A25 2_2_007A5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A1B1E 2_2_007A1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A3A14 2_2_007A3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A150C 2_2_007A150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A43D8 2_2_007A43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A1CD0 2_2_007A1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A27D4 2_2_007A27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A13C5 2_2_007A13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A88BA 2_2_007A88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A92B2 2_2_007A92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A31B3 2_2_007A31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A3FAB 2_2_007A3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A2FAF 2_2_007A2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03206A9C 3_2_03206A9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03202100 3_2_03202100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0320150C 3_2_0320150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0320510C 3_2_0320510C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03203A14 3_2_03203A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03205F16 3_2_03205F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03201B1E 3_2_03201B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03202566 3_2_03202566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03201967 3_2_03201967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03202A69 3_2_03202A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03203574 3_2_03203574
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03202FAF 3_2_03202FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032092B2 3_2_032092B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032088BA 3_2_032088BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03204593 3_2_03204593
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032013C5 3_2_032013C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03203DCD 3_2_03203DCD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_032027D4 3_2_032027D4
Uses 32bit PE files
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal52.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior

Data Obfuscation:

barindex
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_01205F7B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_01205F94
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_01205FDD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_0120604B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_01206124
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi 0_2_0120614F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx 0_2_0120625E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_012062B5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_01206343
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_0120635D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], ebp 0_2_01206368
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_01206385
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx 0_2_012063B4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_01206483
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_012064F2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 0_2_012064FE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_0120650A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi 0_2_01206567
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi 0_2_012065A9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], eax 0_2_01206610
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_01206685
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 0_2_012066C2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_012066E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edi 0_2_01206781
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push 00000000h; mov dword ptr [esp], edx 0_2_012067B6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_0120684C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_01206858
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx 0_2_01206926
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 0_2_01206945
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 0_2_01206951
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01205F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 0_2_012069D6

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01202A69 xor edi, dword ptr fs:[00000030h] 0_2_01202A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_007A2A69 xor edi, dword ptr fs:[00000030h] 2_2_007A2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_03202A69 xor edi, dword ptr fs:[00000030h] 3_2_03202A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.370902825.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.435655612.00000000013D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.383594776.0000000003220000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.loaddll32.exe.13d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.3220000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.a50000.2.raw.unpack, type: UNPACKEDPE