Analysis Report SecuriteInfo.com.Mal.EncPk-APW.3323.dll

Overview

General Information

Sample Name: SecuriteInfo.com.Mal.EncPk-APW.3323.dll
Analysis ID: 382278
MD5: 937e2c551368757c5e3c3598c41ea7d9
SHA1: 599b5bc9138bec69ac61a82858d2a2115eeab943
SHA256: cb73a2cf01aa499376231e1c5c14dbf0abfae7a2f2036c78bcfbc35b2284a5d5
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Virustotal: Detection: 28% Perma Link
Machine Learning detection for sample
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002375 NtQueryVirtualMemory, 1_2_10002375
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002154 1_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 3_2_023D5F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5A25 3_2_023D5A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D1B1E 3_2_023D1B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D3A14 3_2_023D3A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D150C 3_2_023D150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5378 3_2_023D5378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D2A69 3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D1967 3_2_023D1967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D2566 3_2_023D2566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5262 3_2_023D5262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D88BA 3_2_023D88BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D31B3 3_2_023D31B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D92B2 3_2_023D92B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D2FAF 3_2_023D2FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D3FAB 3_2_023D3FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D43D8 3_2_023D43D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D27D4 3_2_023D27D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D1CD0 3_2_023D1CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D13C5 3_2_023D13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03045F16 4_2_03045F16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0304150C 4_2_0304150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03043A14 4_2_03043A14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03041B1E 4_2_03041B1E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03045A25 4_2_03045A25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03042566 4_2_03042566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03041967 4_2_03041967
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03045262 4_2_03045262
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03042A69 4_2_03042A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03045378 4_2_03045378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03042FAF 4_2_03042FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03043FAB 4_2_03043FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030492B2 4_2_030492B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030431B3 4_2_030431B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030488BA 4_2_030488BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030413C5 4_2_030413C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030427D4 4_2_030427D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03041CD0 4_2_03041CD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030443D8 4_2_030443D8
Uses 32bit PE files
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal60.troj.winDLL@7/0@0/0
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Virustotal: Detection: 28%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll,DllServer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Mal.EncPk-APW.3323.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002143 push ecx; ret 1_2_10002153
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100020F0 push ecx; ret 1_2_100020F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx 3_2_023D5F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D5F94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D5FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_023D604B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D6124
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi 3_2_023D614F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx 3_2_023D625E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_023D62B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_023D6343
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_023D635D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], ebp 3_2_023D6368
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D6385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx 3_2_023D63B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D6483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D64F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_023D64FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D650A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi 3_2_023D6567
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi 3_2_023D65A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], eax 3_2_023D6610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D6685
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 3_2_023D66C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D66E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edi 3_2_023D6781
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push 00000000h; mov dword ptr [esp], edx 3_2_023D67B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D684C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 3_2_023D6858
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx 3_2_023D6926
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D5F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 3_2_023D6945

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_023D2A69 xor edi, dword ptr fs:[00000030h] 3_2_023D2A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03042A69 xor edi, dword ptr fs:[00000030h] 4_2_03042A69
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Mal.EncPk-APW.3323.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.625565568.0000000001450000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000163F SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_1000163F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_10001850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.274936732.0000000002600000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.254342538.0000000004990000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.625111885.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.loaddll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.2600000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.4990000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.d90000.2.raw.unpack, type: UNPACKEDPE