Loading ...

Play interactive tourEdit tour

Analysis Report 8OKQ6ogGRx.dll

Overview

General Information

Sample Name:8OKQ6ogGRx.dll
Analysis ID:404147
MD5:e8eae1a820426a722c7cae54ed5bacd8
SHA1:4d8368f112e0c56e7caccb89724bfdad1999e706
SHA256:eb498648d17ad5250ab1f38b190dd2da8bfa8db3ee86054db991db79d15ad5cc
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 2168 cmdline: loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 3880 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6024 cmdline: rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3468 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3512 cmdline: rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5212 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5240 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    Process Memory Space: loaddll32.exe PID: 2168JoeSecurity_UrsnifYara detected UrsnifJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: 3.3.rundll32.exe.30aa438.0.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
      Source: 8OKQ6ogGRx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: 8OKQ6ogGRx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
      Source: unknownDNS traffic detected: queries for: outlook.com

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      E-Banking Fraud:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      System Summary:

      barindex
      Writes or reads registry keys via WMIShow sources
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Writes registry values via WMIShow sources
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C101B NtMapViewOfSection,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C145E NtCreateSection,memset,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C23A5 NtQueryVirtualMemory,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB1724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB301 NtQueryVirtualMemory,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C2184
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB62D8
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB0DC
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB8045
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10AF51
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E106700
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E129DAE
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E123A47
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E127AB1
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E114B3B
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E12035D
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1228C3
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10C100
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10AF51
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E106700
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E129DAE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E123A47
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E127AB1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E114B3B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E12035D
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1228C3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10C100
      Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E10B2D0 appears 32 times
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E10B2D0 appears 32 times
      Source: 8OKQ6ogGRx.dllBinary or memory string: OriginalFilenameturn.dll8 vs 8OKQ6ogGRx.dll
      Source: 8OKQ6ogGRx.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
      Source: 8OKQ6ogGRx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal64.troj.winDLL@12/4@3/0
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB24C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFFDCA7E35786F02EC.TMPJump to behavior
      Source: 8OKQ6ogGRx.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll'
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Enterbeen
      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\8OKQ6ogGRx.dll,Multiply
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5212 CREDAT:17410 /prefetch:2
      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
      Source: 8OKQ6ogGRx.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
      Source: 8OKQ6ogGRx.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.474262084.000000006E12B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.473027283.000000006E12B000.00000002.00020000.sdmp, 8OKQ6ogGRx.dll
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
      Source: 8OKQ6ogGRx.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,
      Source: 8OKQ6ogGRx.dllStatic PE information: real checksum: 0x8203c should be: 0x8017c
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C2120 push ecx; ret
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C2173 push ecx; ret
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBB0CB push ecx; ret
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BBAD10 push ecx; ret
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10B315 push ecx; ret
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14221D push eax; retf
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E142BB6 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D420E push es; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D423B push ebx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10B315 push ecx; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D43C5 push ebp; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E0D5842 push esp; ret
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14221D push eax; retf
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E142BB6 push ecx; ret

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY
      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10C6CB _memset,IsDebuggerPresent,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E112CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C160D LoadLibraryA,GetProcAddress,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E141302 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E140E3F push dword ptr fs:[00000030h]
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E141238 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141302 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E140E3F push dword ptr fs:[00000030h]
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E141238 mov eax, dword ptr fs:[00000030h]
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10B830 GetProcessHeap,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E111090 SetUnhandledExceptionFilter,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E111090 SetUnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1110C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\8OKQ6ogGRx.dll',#1
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Program Manager
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: loaddll32.exe, 00000000.00000002.470347990.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.472110783.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB7EC1 cpuid
      Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
      Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
      Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
      Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
      Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C195D GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00BB7EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,
      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E0C1800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

      Stealing of Sensitive Information:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000000.00000002.470954657.0000000003618000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 2168, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery23Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404147 Sample: 8OKQ6ogGRx.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 64 23 www.outlook.com 2->23 25 outlook.office365.com 2->25 27 5 other IPs or domains 2->27 29 Found malware configuration 2->29 31 Yara detected  Ursnif 2->31 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 59 2->11         started        signatures3 process4 signatures5 33 Writes or reads registry keys via WMI 8->33 35 Writes registry values via WMI 8->35 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 11->19         started        process6 process7 21 rundll32.exe 13->21         started       

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.