Loading ...

Play interactive tourEdit tour

Analysis Report 606e7fb752fbd.rar.dll

Overview

General Information

Sample Name:606e7fb752fbd.rar.dll
Analysis ID:383661
MD5:8bf44d2b3b9b7c0fa2754fbe6ad14a63
SHA1:76d4ed4512d34edd5a34b917957654fedbfae23f
SHA256:cb7c95db9ce05d2304a4a98687a4b92f85081e1b7397820a52487b277ee1f2e1
Tags:BRTdllgeogoziisfbITAursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6444 cmdline: loaddll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6456 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6476 cmdline: rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6464 cmdline: rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6516 cmdline: rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Especiallyyes MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6532 cmdline: rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Guesscover MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6552 cmdline: rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Learncut MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6596 cmdline: rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,OnceOut MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

[{"RSA Public Key": "YKwVOU5rJLi0k2wc/Sa//orn/I3K6zI6HgJKpraE6XyxxZAjZUdVyZ9IFso22JAAB2G4qzzp3TU2DJqhIyPO7xVeI9l7K9H9VlKfzYozAbxBQCrtZPEdPyCguw2FwPnt3aL3viJmXn26e8PXSevTHzQdNxMCe42eyfgYxlDVzbkJTLhI91j/G+/dxO1/TdYY"}, {"c2_domain": ["ocsp2.digicert.com", "aus6.mozilla.org", "durenoluneer.xyz", "surenoluneer.xyz"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.3.rundll32.exe.c5a4b1.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          4.2.rundll32.exe.6d450000.3.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            5.2.rundll32.exe.6d450000.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              2.3.rundll32.exe.f1a4b1.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.3.rundll32.exe.eca4b1.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  Click to see the 2 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 4.2.rundll32.exe.4cc94a0.2.raw.unpackMalware Configuration Extractor: Ursnif [{"RSA Public Key": "YKwVOU5rJLi0k2wc/Sa//orn/I3K6zI6HgJKpraE6XyxxZAjZUdVyZ9IFso22JAAB2G4qzzp3TU2DJqhIyPO7xVeI9l7K9H9VlKfzYozAbxBQCrtZPEdPyCguw2FwPnt3aL3viJmXn26e8PXSevTHzQdNxMCe42eyfgYxlDVzbkJTLhI91j/G+/dxO1/TdYY"}, {"c2_domain": ["ocsp2.digicert.com", "aus6.mozilla.org", "durenoluneer.xyz", "surenoluneer.xyz"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
                  Source: 606e7fb752fbd.rar.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: 606e7fb752fbd.rar.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: c:\hot\905_grow\310_Together\Brought.pdb source: loaddll32.exe, 00000000.00000002.901043048.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.908140362.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.901888879.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.908539337.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.910191671.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.901492823.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.901601437.000000006D500000.00000002.00020000.sdmp, 606e7fb752fbd.rar.dll

                  Key, Mouse, Clipboard, Microphone and Screen Capturing:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

                  E-Banking Fraud:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D452375 NtQueryVirtualMemory,2_2_6D452375
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D452375 NtQueryVirtualMemory,3_2_6D452375
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D494D400_2_6D494D40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D492FAD0_2_6D492FAD
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C6EC90_2_6D4C6EC9
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A6B400_2_6D4A6B40
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D456B500_2_6D456B50
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C35070_2_6D4C3507
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4695D00_2_6D4695D0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4655900_2_6D465590
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4B05A80_2_6D4B05A8
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4641B00_2_6D4641B0
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BA02F0_2_6D4BA02F
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D00FC0_2_6D4D00FC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4521542_2_6D452154
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D494D402_2_6D494D40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4C35072_2_6D4C3507
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D492FAD2_2_6D492FAD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4641B02_2_6D4641B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4BA02F2_2_6D4BA02F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A6B402_2_6D4A6B40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4521543_2_6D452154
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D494D403_2_6D494D40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4C35073_2_6D4C3507
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D492FAD3_2_6D492FAD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4641B03_2_6D4641B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BA02F3_2_6D4BA02F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4A6B403_2_6D4A6B40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D494D404_2_6D494D40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4C35074_2_6D4C3507
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D492FAD4_2_6D492FAD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4641B04_2_6D4641B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4BA02F4_2_6D4BA02F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4A6B404_2_6D4A6B40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D494D405_2_6D494D40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4C35075_2_6D4C3507
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4A4C5F5_2_6D4A4C5F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D492FAD5_2_6D492FAD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4641B05_2_6D4641B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4BA02F5_2_6D4BA02F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4A6B405_2_6D4A6B40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D494D406_2_6D494D40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D492FAD6_2_6D492FAD
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4C6EC96_2_6D4C6EC9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4A6B406_2_6D4A6B40
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D456B506_2_6D456B50
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4C35076_2_6D4C3507
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4695D06_2_6D4695D0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4655906_2_6D465590
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4B05A86_2_6D4B05A8
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4641B06_2_6D4641B0
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4BA02F6_2_6D4BA02F
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4D00FC6_2_6D4D00FC
                  Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D490E9E appears 83 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D490ED2 appears 44 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D491790 appears 123 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D490E9E appears 407 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4B491D appears 55 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4B4776 appears 74 times
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D490F09 appears 35 times
                  Source: 606e7fb752fbd.rar.dllBinary or memory string: OriginalFilenameBrought.dll. vs 606e7fb752fbd.rar.dll
                  Source: 606e7fb752fbd.rar.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                  Source: classification engineClassification label: mal56.troj.winDLL@15/0@0/0
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan
                  Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll'
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Choosethan
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Especiallyyes
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Guesscover
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,Learncut
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,OnceOut
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1Jump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,ChoosethanJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,EspeciallyyesJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,GuesscoverJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,LearncutJump to behavior
                  Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\606e7fb752fbd.rar.dll,OnceOutJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1Jump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 606e7fb752fbd.rar.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                  Source: 606e7fb752fbd.rar.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: c:\hot\905_grow\310_Together\Brought.pdb source: loaddll32.exe, 00000000.00000002.901043048.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.908140362.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.901888879.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.908539337.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.910191671.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.901492823.000000006D500000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.901601437.000000006D500000.00000002.00020000.sdmp, 606e7fb752fbd.rar.dll
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 606e7fb752fbd.rar.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D451745 LoadLibraryA,GetProcAddress,2_2_6D451745
                  Source: 606e7fb752fbd.rar.dllStatic PE information: real checksum: 0xfd487 should be: 0xff097
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D490E67 push ecx; ret 0_2_6D490E7A
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4917D6 push ecx; ret 0_2_6D4917E9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D452143 push ecx; ret 2_2_6D452153
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4520F0 push ecx; ret 2_2_6D4520F9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4917D6 push ecx; ret 2_2_6D4917E9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D490E67 push ecx; ret 2_2_6D490E7A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D452143 push ecx; ret 3_2_6D452153
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4520F0 push ecx; ret 3_2_6D4520F9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4917D6 push ecx; ret 3_2_6D4917E9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D490E67 push ecx; ret 3_2_6D490E7A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4917D6 push ecx; ret 4_2_6D4917E9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D490E67 push ecx; ret 4_2_6D490E7A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4917D6 push ecx; ret 5_2_6D4917E9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D490E67 push ecx; ret 5_2_6D490E7A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D490E67 push ecx; ret 6_2_6D490E7A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4917D6 push ecx; ret 6_2_6D4917E9

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D451745 LoadLibraryA,GetProcAddress,2_2_6D451745
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]0_2_6D4BAD71
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]2_2_6D4BAD71
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D541746 mov eax, dword ptr fs:[00000030h]2_2_6D541746
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D54167C mov eax, dword ptr fs:[00000030h]2_2_6D54167C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D541283 push dword ptr fs:[00000030h]2_2_6D541283
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]3_2_6D4BAD71
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D541746 mov eax, dword ptr fs:[00000030h]3_2_6D541746
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D54167C mov eax, dword ptr fs:[00000030h]3_2_6D54167C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D541283 push dword ptr fs:[00000030h]3_2_6D541283
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]4_2_6D4BAD71
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D541746 mov eax, dword ptr fs:[00000030h]4_2_6D541746
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D54167C mov eax, dword ptr fs:[00000030h]4_2_6D54167C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D541283 push dword ptr fs:[00000030h]4_2_6D541283
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]5_2_6D4BAD71
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4BAD71 mov eax, dword ptr fs:[00000030h]6_2_6D4BAD71
                  Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4B3EDA
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D491078
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D49138C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D49138C
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6D491078
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6D491078
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_6D491078
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_6D491078
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D4B3EDA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D4B3EDA
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D491078 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_6D491078
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6D49138C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6D49138C
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\606e7fb752fbd.rar.dll',#1Jump to behavior
                  Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmpBinary or memory string: Program Manager
                  Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                  Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmpBinary or memory string: Progman
                  Source: loaddll32.exe, 00000000.00000002.900668496.0000000000BA0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.901484262.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.901496797.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.901571033.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.901722448.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.901100477.0000000003010000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.901151375.0000000003600000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4906EF cpuid 0_2_6D4906EF
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D4C4A8A
                  Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6D4901B9
                  Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4C40B9
                  Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D47F379
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6D4CD50B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6D4CDC8D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4CD7EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4CD783
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6D4CDE61
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6D4901B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4CD887
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4C40B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D47F379
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D4C4A8A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6D4CD50B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6D4CDC8D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D4CD7EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D4CD783
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6D4CDE61
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,3_2_6D4901B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D4CD887
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6D4C40B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D47F379
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6D4C4A8A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6D4CD50B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6D4CDC8D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D4CD7EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D4CD783
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6D4CDE61
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,4_2_6D4901B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D4CD887
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6D4C40B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6D47F379
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6D4C4A8A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_6D4CD50B
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_6D4CDC8D
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6D4CD7EC
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6D4CD783
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_6D4CDE61
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,5_2_6D4901B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6D4CD887
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,5_2_6D4C40B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_6D47F379
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,5_2_6D4C4A8A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6D4C4A8A
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,6_2_6D4901B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6D4C40B9
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6D47F379
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D47B218 GetSystemTimeAsFileTime,0_2_6D47B218
                  Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C8870 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6D4C8870
                  Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D451850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_6D451850

                  Stealing of Sensitive Information:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

                  Remote Access Functionality:

                  barindex
                  Yara detected UrsnifShow sources
                  Source: Yara matchFile source: 00000003.00000003.874026586.0000000000EC0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000003.873095643.0000000000F10000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000003.890597997.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 4.3.rundll32.exe.c5a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 4.2.rundll32.exe.6d450000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 5.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.3.rundll32.exe.f1a4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.3.rundll32.exe.eca4b1.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.rundll32.exe.6d450000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.rundll32.exe.6d450000.2.unpack, type: UNPACKEDPE

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery23Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 383661 Sample: 606e7fb752fbd.rar.dll Startdate: 08/04/2021 Architecture: WINDOWS Score: 56 19 Found malware configuration 2->19 21 Yara detected  Ursnif 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.