Analysis Report 8OKQ6ogGRx.dll

Overview

General Information

Sample Name: 8OKQ6ogGRx.dll
Analysis ID: 404147
MD5: e8eae1a820426a722c7cae54ed5bacd8
SHA1: 4d8368f112e0c56e7caccb89724bfdad1999e706
SHA256: eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.3.rundll32.exe.30aa438.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: 8OKQ6ogGRx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 8OKQ6ogGRx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00BB896F
Source: unknown DNS traffic detected: queries for: outlook.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C101B NtMapViewOfSection, 0_2_6E0C101B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C145E NtCreateSection,memset, 0_2_6E0C145E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C23A5 NtQueryVirtualMemory, 0_2_6E0C23A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB1724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00BB1724
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBB301 NtQueryVirtualMemory, 0_2_00BBB301
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C2184 0_2_6E0C2184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB62D8 0_2_00BB62D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBB0DC 0_2_00BBB0DC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB8045 0_2_00BB8045
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10AF51 0_2_6E10AF51
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E106700 0_2_6E106700
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E129DAE 0_2_6E129DAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E123A47 0_2_6E123A47
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E127AB1 0_2_6E127AB1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E114B3B 0_2_6E114B3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E12035D 0_2_6E12035D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1228C3 0_2_6E1228C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10C100 0_2_6E10C100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E10AF51 3_2_6E10AF51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E106700 3_2_6E106700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E129DAE 3_2_6E129DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E123A47 3_2_6E123A47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E127AB1 3_2_6E127AB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E114B3B 3_2_6E114B3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E12035D 3_2_6E12035D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1228C3 3_2_6E1228C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E10C100 3_2_6E10C100
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E10B2D0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E10B2D0 appears 32 times
Sample file is different than original file name gathered from version info
Source: 8OKQ6ogGRx.dll Binary or memory string: OriginalFilenameturn.dll8 vs 8OKQ6ogGRx.dll
Uses 32bit PE files
Source: 8OKQ6ogGRx.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: 8OKQ6ogGRx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal64.troj.winDLL@12/4@3/0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB24C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_00BB24C7
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFFDCA7E35786F02EC.TMP Jump to behavior
Source: 8OKQ6ogGRx.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 8OKQ6ogGRx.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 8OKQ6ogGRx.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
Source: 8OKQ6ogGRx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8OKQ6ogGRx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8OKQ6ogGRx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8OKQ6ogGRx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8OKQ6ogGRx.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C160D LoadLibraryA,GetProcAddress, 0_2_6E0C160D
PE file contains an invalid checksum
Source: 8OKQ6ogGRx.dll Static PE information: real checksum: 0x8203c should be: 0x8017c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C2120 push ecx; ret 0_2_6E0C2129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C2173 push ecx; ret 0_2_6E0C2183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBB0CB push ecx; ret 0_2_00BBB0DB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BBAD10 push ecx; ret 0_2_00BBAD19
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10B315 push ecx; ret 0_2_6E10B328
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14221D push eax; retf 0_2_6E142220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E142BB6 push ecx; ret 0_2_6E142BD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0D420E push es; ret 3_2_6E0D420F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0D423B push ebx; ret 3_2_6E0D424E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E10B315 push ecx; ret 3_2_6E10B328
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0D43C5 push ebp; ret 3_2_6E0D43CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E0D5842 push esp; ret 3_2_6E0D588C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E14221D push eax; retf 3_2_6E142220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E142BB6 push ecx; ret 3_2_6E142BD1

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00BB896F

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10C6CB _memset,IsDebuggerPresent, 0_2_6E10C6CB
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E112CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E112CFE
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C160D LoadLibraryA,GetProcAddress, 0_2_6E0C160D
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E141302 mov eax, dword ptr fs:[00000030h] 0_2_6E141302
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E140E3F push dword ptr fs:[00000030h] 0_2_6E140E3F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E141238 mov eax, dword ptr fs:[00000030h] 0_2_6E141238
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141302 mov eax, dword ptr fs:[00000030h] 3_2_6E141302
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E140E3F push dword ptr fs:[00000030h] 3_2_6E140E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141238 mov eax, dword ptr fs:[00000030h] 3_2_6E141238
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10B830 GetProcessHeap, 0_2_6E10B830
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E111090 SetUnhandledExceptionFilter, 0_2_6E111090
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1110C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E111090 SetUnhandledExceptionFilter, 3_2_6E111090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1110C1

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB7EC1 cpuid 0_2_00BB7EC1
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E12770D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6E1277BA
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E1275E3
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E111A40
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E127292
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E111AC6
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E1272EE
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E12736B
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E1273EE
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6E12701E
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E11185F
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6E10A8B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E12770D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6E1277BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E1275E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E111A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E127292
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E111AC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E1272EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E12736B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E1273EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6E12701E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_6E11185F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 3_2_6E10A8B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C195D GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E0C195D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00BB7EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00BB7EC1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_6E10CFA3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E0C1800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E0C1800

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404147 Sample: 8OKQ6ogGRx.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 64 23 www.outlook.com 2->23 25 outlook.office365.com 2->25 27 5 other IPs or domains 2->27 29 Found malware configuration 2->29 31 Yara detected  Ursnif 2->31 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 59 2->11         started        signatures3 process4 signatures5 33 Writes or reads registry keys via WMI 8->33 35 Writes registry values via WMI 8->35 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 11->19         started        process6 process7 21 rundll32.exe 13->21         started       
No contacted IP infos

Contacted Domains

Name IP Active
outlook.com 40.97.161.50 true
HHN-efz.ms-acdc.office.com 40.101.138.2 true
FRA-efz.ms-acdc.office.com 40.101.81.162 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown