Analysis Report 0204_1.gif.dll

Overview

General Information

Sample Name: 0204_1.gif.dll
Analysis ID: 382559
MD5: 6ebc18a521638630f9b89ddb23c13b22
SHA1: 6bf2fd63e47f2b278ef75cca3893d87855c646d6
SHA256: 65179a35467708828de13c9a53f254c956cc4235a0196e3c53ca5022c176a6aa
Tags: dllGGGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.bd0000.1.raw.unpack Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Multi AV Scanner detection for domain / URL
Source: urs-world.com Virustotal: Detection: 5% Perma Link
Source: under17.com Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for submitted file
Source: 0204_1.gif.dll ReversingLabs: Detection: 54%
Machine Learning detection for sample
Source: 0204_1.gif.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.rundll32.exe.10000000.5.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 1.2.loaddll32.exe.1200000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 1.2.loaddll32.exe.10000000.4.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: 0204_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_02F912D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 5_2_02D712D4

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.243.114.196 185.243.114.196
Source: Joe Sandbox View IP Address: 185.186.244.95 185.186.244.95
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ACCELERATED-ITDE ACCELERATED-ITDE
Source: Joe Sandbox View ASN Name: WEBZILLANL WEBZILLANL
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.3:49731 -> 185.243.114.196:80
Source: global traffic TCP traffic: 192.168.2.3:49758 -> 185.186.244.95:80
Source: unknown DNS traffic detected: queries for: login.microsoftonline.com
Source: GiGr-rA9TBhE2c3LJn7PvDweiOo.gz[1].js.14.dr String found in binary or memory: http://feross.org
Source: ~DF4EC0ACC0598C2A74.TMP.28.dr, {FBAD85DA-96F8-11EB-90E4-ECF4BB862DED}.dat.28.dr String found in binary or memory: http://under17.com/joomla/5Ee9Djbm01gK/tl8o1rQRrf7/ve4VcCWGPHbKdt/oB2JQB1Ds_2Fi7cV4n7xM/odh0a6MBnYBo
Source: {FBAD85D8-96F8-11EB-90E4-ECF4BB862DED}.dat.28.dr String found in binary or memory: http://under17.com/joomla/7ilxUUc2eQiB_2BWW/6r_2BMwbjonk/83d_2FHHC15/HJRFbBiTdFKAEO/luoufpwcpxd9B2Df
Source: {12812620-96F9-11EB-90E4-ECF4BB862DED}.dat.38.dr String found in binary or memory: http://urs-world.com/joomla/swXAVHGoBGvGk1d/ryn6afaNNl5GqYjk6D/Ylnh1Zekh/Fo40Y2SBz206KbWZIB4F/dye0VS
Source: ~DFB5C248C8321BA21B.TMP.38.dr, {12812622-96F9-11EB-90E4-ECF4BB862DED}.dat.38.dr String found in binary or memory: http://urs-world.com/joomla/xTET0B_2F/unrIzOSyB0AEFaeRqGqR/IAdUqUxpeEtOrtoms_2/FwF1t6izGIt_2BMjrNqXK
Source: ~DF9401D896BB639998.TMP.13.dr String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/datenleck-bei-facebook-wachstum-z
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/janet-yellen-us-finanzministerin-fordert-weltweite-mi
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/finanzen/top-stories/staatliche-regulierung-allianz-gegen-big-tech-druck-a
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/admirale-begehren-auf-gegen-das-verr
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/alexej-nawalny-klagt-
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/es-h
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/so-tickt-kosovos-neue-staatspr
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/international/ukrainekonflikt-maas-warnt-russland-und-ukraine-
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/coronakrise-laschet-fordert-harten-br
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/das-alles-h
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/fdp-nur-keine-option-von-vornherein-ausschlie
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/l
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/politik/manfred-weber-nennt-eu-beitritt-der-t
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/nachrichten/vermischtes/die-altersheime-hat-man-vergessen/ar-BB1fkRPW?ocid
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/auf-schmusekurs-mit-erdogan-eu-spitzen-reisen-in-die-t
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/das-grosse-impfen-beginnt-geht-es-nun-endlich-vorw
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/der-westen-muss-mit-sanktionen-drohen-die-wehtun/ar-BB1flkV9?oc
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/neuseeland-und-australien-starten-quarant
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/pentagon-usa-beobachten-russlands-aktivit
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/polizei-sucht-mit-superpuma-nach-vermissten-minderj
Source: msnpopularnow[1].json.14.dr String found in binary or memory: https://www.msn.com/de-ch/news/other/ressourcen-f

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001D9F NtMapViewOfSection, 1_2_10001D9F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001EB5 GetProcAddress,NtCreateSection,memset, 1_2_10001EB5
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002375 NtQueryVirtualMemory, 1_2_10002375
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F983B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_02F983B7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9B341 NtQueryVirtualMemory, 1_2_02F9B341
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D783B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_02D783B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D7B341 NtQueryVirtualMemory, 5_2_02D7B341
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002154 1_2_10002154
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F94094 1_2_02F94094
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F997F2 1_2_02F997F2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9B11C 1_2_02F9B11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F 4_2_02CA348F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA3BDB 4_2_02CA3BDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA28EB 4_2_02CA28EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE 4_2_02CA20EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA52EC 4_2_02CA52EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA5AF6 4_2_02CA5AF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA3A85 4_2_02CA3A85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA1B95 4_2_02CA1B95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA3FA8 4_2_02CA3FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA554B 4_2_02CA554B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA4859 4_2_02CA4859
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA596E 4_2_02CA596E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA237B 4_2_02CA237B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA247B 4_2_02CA247B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA5C76 4_2_02CA5C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA1374 4_2_02CA1374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA1000 4_2_02CA1000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA1918 4_2_02CA1918
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA3314 4_2_02CA3314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6424 4_2_02CA6424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD348F 5_2_02CD348F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD3BDB 5_2_02CD3BDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD52EC 5_2_02CD52EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD20EE 5_2_02CD20EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD28EB 5_2_02CD28EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD5AF6 5_2_02CD5AF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD3A85 5_2_02CD3A85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD1B95 5_2_02CD1B95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD3FA8 5_2_02CD3FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD554B 5_2_02CD554B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD4859 5_2_02CD4859
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD596E 5_2_02CD596E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD237B 5_2_02CD237B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD247B 5_2_02CD247B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD1374 5_2_02CD1374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD5C76 5_2_02CD5C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD1000 5_2_02CD1000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD1918 5_2_02CD1918
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD3314 5_2_02CD3314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD6424 5_2_02CD6424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D74094 5_2_02D74094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D797F2 5_2_02D797F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D7B11C 5_2_02D7B11C
Uses 32bit PE files
Source: 0204_1.gif.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal92.troj.winDLL@21/108@9/2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_02F9757F
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF429EC30D8A24338F.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService
Source: 0204_1.gif.dll ReversingLabs: Detection: 54%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:82952 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17414 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6384 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\0204_1.gif.dll,StartService Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6664 CREDAT:82952 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6780 CREDAT:17414 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6384 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
PE file contains sections with non-standard names
Source: 0204_1.gif.dll Static PE information: section name: .code
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10002143 push ecx; ret 1_2_10002153
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_100020F0 push ecx; ret 1_2_100020F9
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9EAE5 push ds; retf 1_2_02F9EAEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9E4C9 push ecx; ret 1_2_02F9E4CA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9AD50 push ecx; ret 1_2_02F9AD59
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9D343 pushfd ; retf 0003h 1_2_02F9D346
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9B10B push ecx; ret 1_2_02F9B11B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 4_2_02CA34A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx 4_2_02CA3632
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F push 00000000h; mov dword ptr [esp], edx 4_2_02CA37FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F push edx; mov dword ptr [esp], 00000002h 4_2_02CA384A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA348F push 00000000h; mov dword ptr [esp], ecx 4_2_02CA38D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6194 push eax; mov dword ptr [esp], 00000004h 4_2_02CA61AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6194 push esi; mov dword ptr [esp], 00001000h 4_2_02CA61B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6194 push 00000000h; mov dword ptr [esp], ebp 4_2_02CA6267
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], esi 4_2_02CA210B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi 4_2_02CA2177
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 4_2_02CA222E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], eax 4_2_02CA2498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], edi 4_2_02CA2502
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push 00000000h; mov dword ptr [esp], ecx 4_2_02CA2524
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 4_2_02CA269D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push dword ptr [ebp-10h]; mov dword ptr [esp], esi 4_2_02CA2737
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA20EE push edi; mov dword ptr [esp], 00000004h 4_2_02CA2759
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA5AF6 push esi; mov dword ptr [esp], 0000F000h 4_2_02CA5C11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA4DF5 push 00000000h; mov dword ptr [esp], edi 4_2_02CA4EA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA2DF5 push dword ptr [ebp-04h]; mov dword ptr [esp], edi 4_2_02CA2E1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA2DF5 push 00000000h; mov dword ptr [esp], edx 4_2_02CA2EAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA2DF5 push 00000000h; mov dword ptr [esp], ebp 4_2_02CA2EC1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6099 push esi; mov dword ptr [esp], FFFF0000h 4_2_02CA60A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA6099 push ecx; mov dword ptr [esp], 00005267h 4_2_02CA60C0

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F912D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_02F912D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02D712D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 5_2_02D712D4

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001745 LoadLibraryA,GetProcAddress, 1_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02CA2DF5 or edx, dword ptr fs:[00000030h] 4_2_02CA2DF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_02CD2DF5 or edx, dword ptr fs:[00000030h] 5_2_02CD2DF5

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\0204_1.gif.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.487376121.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.487898300.0000000003120000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9269C cpuid 1_2_02F9269C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_1000102F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_02F9269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_02F9269C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_10001850

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000005.00000002.486714562.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.248258066.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.487763309.0000000002ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.bd0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.2ed0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.be0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.loaddll32.exe.10000000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.10000000.5.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000005.00000003.323251536.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318966853.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318950554.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.480525805.0000000004DAF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323328029.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.319029773.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318997670.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323362066.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.401164058.0000000003A2D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318987145.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.480876876.000000000392F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323281366.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323298116.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.404525963.0000000004EAD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.318925659.0000000003B2B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.323337362.0000000004FAB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 68, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5452, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 382559 Sample: 0204_1.gif.dll Startdate: 06/04/2021 Architecture: WINDOWS Score: 92 35 urs-world.com 2->35 49 Multi AV Scanner detection for domain / URL 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 1 53 2->11         started        13 iexplore.exe 1 53 2->13         started        15 iexplore.exe 2 64 2->15         started        signatures3 process4 signatures5 57 Writes or reads registry keys via WMI 8->57 59 Writes registry values via WMI 8->59 17 rundll32.exe 8->17         started        20 cmd.exe 1 8->20         started        22 iexplore.exe 31 11->22         started        25 iexplore.exe 31 11->25         started        27 iexplore.exe 13->27         started        29 iexplore.exe 92 15->29         started        31 iexplore.exe 109 15->31         started        process6 dnsIp7 47 Writes registry values via WMI 17->47 33 rundll32.exe 20->33         started        37 under17.com 185.243.114.196, 80 ACCELERATED-ITDE Netherlands 22->37 39 urs-world.com 185.186.244.95, 80 WEBZILLANL Netherlands 27->39 41 prda.aadg.msidentity.com 29->41 43 login.microsoftonline.com 29->43 45 a.privatelink.msidentity.com 29->45 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.243.114.196
 under17.com Netherlands
31400 ACCELERATED-ITDE true
185.186.244.95
 urs-world.com Netherlands
35415 WEBZILLANL true

Contacted Domains

Name IP Active
urs-world.com 185.186.244.95 true
under17.com 185.243.114.196 true
login.microsoftonline.com unknown unknown