Loading ...

Play interactive tourEdit tour

Analysis Report 8OKQ6ogGRx.dll

Overview

General Information

Sample Name:8OKQ6ogGRx.dll
Analysis ID:404147
MD5:e8eae1a820426a722c7cae54ed5bacd8
SHA1:4d8368f112e0c56e7caccb89724bfdad1999e706
SHA256:eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 2168 cmdline: loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3880 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6024 cmdline: rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3468 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3512 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    Process Memory Space: loaddll32.exe PID: 2168JoeSecurity_UrsnifYara detected UrsnifJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 3.3.rundll32.exe.30aa438.0.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
      Source: 8OKQ6ogGRx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: 8OKQ6ogGRx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00BB896F
      Source: unknownDNS traffic detected: queries for: outlook.com

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      E-Banking Fraud:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      System Summary:

      barindex
      Writes or reads registry keys via WMIShow sources
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Writes registry values via WMIShow sources
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C101B NtMapViewOfSection,0_2_6E0C101B
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C145E NtCreateSection,memset,0_2_6E0C145E
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C23A5 NtQueryVirtualMemory,0_2_6E0C23A5
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB1724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00BB1724
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB301 NtQueryVirtualMemory,0_2_00BBB301
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C21840_2_6E0C2184
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB62D80_2_00BB62D8
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB0DC0_2_00BBB0DC
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB80450_2_00BB8045
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10AF510_2_6E10AF51
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1067000_2_6E106700
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E129DAE0_2_6E129DAE
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E123A470_2_6E123A47
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E127AB10_2_6E127AB1
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E114B3B0_2_6E114B3B
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E12035D0_2_6E12035D
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1228C30_2_6E1228C3
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10C1000_2_6E10C100
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10AF513_2_6E10AF51
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1067003_2_6E106700
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E129DAE3_2_6E129DAE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E123A473_2_6E123A47
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E127AB13_2_6E127AB1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E114B3B3_2_6E114B3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E12035D3_2_6E12035D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1228C33_2_6E1228C3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10C1003_2_6E10C100
      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E10B2D0 appears 32 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E10B2D0 appears 32 times
      Source: 8OKQ6ogGRx.dllBinary or memory string: OriginalFilenameturn.dll8 vs 8OKQ6ogGRx.dll
      Source: 8OKQ6ogGRx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: 8OKQ6ogGRx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal64.troj.winDLL@12/4@3/0
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB24C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00BB24C7
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFDCA7E35786F02EC.TMPJump to behavior
      Source: 8OKQ6ogGRx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll'
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1Jump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,EnterbeenJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,MultiplyJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1Jump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2Jump to behavior
      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 8OKQ6ogGRx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,0_2_6E0C160D
      Source: 8OKQ6ogGRx.dllStatic PE information: real checksum: 0x8203c should be: 0x8017c
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C2120 push ecx; ret 0_2_6E0C2129
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C2173 push ecx; ret 0_2_6E0C2183
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB0CB push ecx; ret 0_2_00BBB0DB
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBAD10 push ecx; ret 0_2_00BBAD19
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10B315 push ecx; ret 0_2_6E10B328
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14221D push eax; retf 0_2_6E142220
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E142BB6 push ecx; ret 0_2_6E142BD1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D420E push es; ret 3_2_6E0D420F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D423B push ebx; ret 3_2_6E0D424E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10B315 push ecx; ret 3_2_6E10B328
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D43C5 push ebp; ret 3_2_6E0D43CE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D5842 push esp; ret 3_2_6E0D588C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14221D push eax; retf 3_2_6E142220
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E142BB6 push ecx; ret 3_2_6E142BD1

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY
      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_00BB896F
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10C6CB _memset,IsDebuggerPresent,0_2_6E10C6CB
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E112CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E112CFE
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,0_2_6E0C160D
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E141302 mov eax, dword ptr fs:[00000030h]0_2_6E141302
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E140E3F push dword ptr fs:[00000030h]0_2_6E140E3F
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E141238 mov eax, dword ptr fs:[00000030h]0_2_6E141238
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141302 mov eax, dword ptr fs:[00000030h]3_2_6E141302
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E140E3F push dword ptr fs:[00000030h]3_2_6E140E3F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141238 mov eax, dword ptr fs:[00000030h]3_2_6E141238
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10B830 GetProcessHeap,0_2_6E10B830
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E111090 SetUnhandledExceptionFilter,0_2_6E111090
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1110C1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E111090 SetUnhandledExceptionFilter,3_2_6E111090
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1110C1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1Jump to behavior
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB7EC1 cpuid 0_2_00BB7EC1
      Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E12770D
      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6E1277BA
      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E1275E3
      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E111A40
      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E127292
      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E111AC6
      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E1272EE
      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E12736B
      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E1273EE
      Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6E12701E
      Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6E11185F
      Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6E10A8B9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E12770D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_6E1277BA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E1275E3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E111A40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E127292
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E111AC6
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E1272EE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E12736B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E1273EE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,3_2_6E12701E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_6E11185F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_6E10A8B9
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C195D GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6E0C195D
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB7EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00BB7EC1
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_6E10CFA3
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C1800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E0C1800

      Stealing of Sensitive Information:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404147 Sample: 8OKQ6ogGRx.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 64 23 www.outlook.com 2->23 25 outlook.office365.com 2->25 27 5 other IPs or domains 2->27 29 Found malware configuration 2->29 31 Yara detected  Ursnif 2->31 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 59 2->11         started        signatures3 process4 signatures5 33 Writes or reads registry keys via WMI 8->33 35 Writes registry values via WMI 8->35 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 11->19         started        process6 process7 21 rundll32.exe 13->21         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.