Analysis Report iJdlvBxhYu.dll

Overview

General Information

Sample Name: iJdlvBxhYu.dll
Analysis ID: 404149
MD5: 18d613d02eaf8d339feebb21f578f329
SHA1: 01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
SHA256: bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Tags: dllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.rundll32.exe.4e994a0.2.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: iJdlvBxhYu.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: iJdlvBxhYu.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_0100896F

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.128.194 40.97.128.194
Source: global traffic HTTP traffic detected: GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: ~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.dr String found in binary or memory: https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1023A5 NtQueryVirtualMemory, 0_2_6E1023A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E10101B NtMapViewOfSection, 3_2_6E10101B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E10145E GetProcAddress,NtCreateSection,memset, 3_2_6E10145E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1023A5 NtQueryVirtualMemory, 3_2_6E1023A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01001724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_01001724
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100B301 NtQueryVirtualMemory, 3_2_0100B301
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E102184 0_2_6E102184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14AF51 0_2_6E14AF51
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E146700 0_2_6E146700
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E169DAE 0_2_6E169DAE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E163A47 0_2_6E163A47
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E167AB1 0_2_6E167AB1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E154B3B 0_2_6E154B3B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E16035D 0_2_6E16035D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1628C3 0_2_6E1628C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14C100 0_2_6E14C100
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E102184 3_2_6E102184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01003977 3_2_01003977
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01008045 3_2_01008045
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010062D8 3_2_010062D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100B0DC 3_2_0100B0DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E14AF51 3_2_6E14AF51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E146700 3_2_6E146700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E169DAE 3_2_6E169DAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E163A47 3_2_6E163A47
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E167AB1 3_2_6E167AB1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E154B3B 3_2_6E154B3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E16035D 3_2_6E16035D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1628C3 3_2_6E1628C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E14C100 3_2_6E14C100
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E14B2D0 appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E14B2D0 appears 32 times
Sample file is different than original file name gathered from version info
Source: iJdlvBxhYu.dll Binary or memory string: OriginalFilenameturn.dll8 vs iJdlvBxhYu.dll
Uses 32bit PE files
Source: iJdlvBxhYu.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: iJdlvBxhYu.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal60.troj.winDLL@12/5@3/4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_010024C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_010024C7
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMP Jump to behavior
Source: iJdlvBxhYu.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: iJdlvBxhYu.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: iJdlvBxhYu.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
Source: iJdlvBxhYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: iJdlvBxhYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: iJdlvBxhYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: iJdlvBxhYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: iJdlvBxhYu.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress, 0_2_6E10160D
PE file contains an invalid checksum
Source: iJdlvBxhYu.dll Static PE information: real checksum: 0x8203c should be: 0x7fedb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E102120 push ecx; ret 0_2_6E102129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E102173 push ecx; ret 0_2_6E102183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E11420E push es; ret 0_2_6E11420F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E11423B push ebx; ret 0_2_6E11424E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14B315 push ecx; ret 0_2_6E14B328
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1143C5 push ebp; ret 0_2_6E1143CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E18221D push eax; retf 0_2_6E182220
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E182BB6 push ecx; ret 0_2_6E182BD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E102120 push ecx; ret 3_2_6E102129
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E102173 push ecx; ret 3_2_6E102183
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100AD10 push ecx; ret 3_2_0100AD19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100B0CB push ecx; ret 3_2_0100B0DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E11420E push es; ret 3_2_6E11420F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E11423B push ebx; ret 3_2_6E11424E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E14B315 push ecx; ret 3_2_6E14B328
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1143C5 push ebp; ret 3_2_6E1143CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E115842 push esp; ret 3_2_6E11588C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E18221D push eax; retf 3_2_6E182220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E182BB6 push ecx; ret 3_2_6E182BD1

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_0100896F

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14C6CB _memset,IsDebuggerPresent, 0_2_6E14C6CB
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E152CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E152CFE
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E10160D LoadLibraryA,GetProcAddress, 0_2_6E10160D
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E181302 mov eax, dword ptr fs:[00000030h] 0_2_6E181302
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E181238 mov eax, dword ptr fs:[00000030h] 0_2_6E181238
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E180E3F push dword ptr fs:[00000030h] 0_2_6E180E3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E181302 mov eax, dword ptr fs:[00000030h] 3_2_6E181302
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E181238 mov eax, dword ptr fs:[00000030h] 3_2_6E181238
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E180E3F push dword ptr fs:[00000030h] 3_2_6E180E3F
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14B830 GetProcessHeap, 0_2_6E14B830
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E151090 SetUnhandledExceptionFilter, 0_2_6E151090
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1510C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E151090 SetUnhandledExceptionFilter, 3_2_6E151090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1510C1

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14B84D cpuid 0_2_6E14B84D
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E16770D
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6E1677BA
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E1675E3
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E151A40
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E167292
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E151AC6
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E1672EE
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E16736B
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E1673EE
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6E16701E
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E15185F
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6E14A8B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E16770D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6E1677BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E1675E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E151A40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E167292
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E151AC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E1672EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6E16736B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6E1673EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6E16701E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_6E15185F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 3_2_6E14A8B9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E101D6E SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E101D6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_01007EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_01007EC1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E14CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_6E14CFA3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E101800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E101800

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 404149 Sample: iJdlvBxhYu.dll Startdate: 04/05/2021 Architecture: WINDOWS Score: 60 24 outlook.office365.com 2->24 26 outlook.ms-acdc.office.com 2->26 28 2 other IPs or domains 2->28 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 8 loaddll32.exe 1 2->8         started        10 iexplore.exe 1 50 2->10         started        signatures3 process4 process5 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 iexplore.exe 24 10->19         started        dnsIp6 40 Writes registry values via WMI 12->40 22 rundll32.exe 15->22         started        30 outlook.com 40.97.128.194, 443, 49725, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 32 HHN-efz.ms-acdc.office.com 52.97.150.2, 443, 49728, 49729 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->32 34 6 other IPs or domains 19->34 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.97.150.2
HHN-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.97.128.194
outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.201.82
FRA-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
outlook.com 40.97.128.194 true
HHN-efz.ms-acdc.office.com 52.97.150.2 true
FRA-efz.ms-acdc.office.com 52.97.201.82 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://outlook.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk false
    high