Loading ...

Play interactive tourEdit tour

Analysis Report iJdlvBxhYu.dll

Overview

General Information

Sample Name:iJdlvBxhYu.dll
Analysis ID:404149
MD5:18d613d02eaf8d339feebb21f578f329
SHA1:01ea39853139ccfe82f0bd19f8963d3ccebf8e8a
SHA256:bd43f7bc23a76b086a81b8e6fcd4355cac648d3f7d9a941d9aa259def534d5b1
Tags:dllgeoGoziISFBITAUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • loaddll32.exe (PID: 6684 cmdline: loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6692 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6732 cmdline: rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6720 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6780 cmdline: rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6728 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4876 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 3.2.rundll32.exe.4e994a0.2.raw.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "KfAh1HjBYV5+GLf1H4+++WQcflLYE80sojTEX/uvXaLXhDxSfFOCIe7aHw1TYNxXIBvEkznlAveWMvLVTSjkgy/Hqpm47GUbXiPUxbpl0qoDhGQpz45mxRQlc+jgXQ4D03Y0gMF90NeOpBOEi497zfDlURi8Me7OHCSUNpn4Q0kQtrInhQlll9V6IFuYjZJB", "c2_domain": ["outlook.com/login", "gmail.com", "dorelunonu.us", "morelunonu.us"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}
            Source: iJdlvBxhYu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: iJdlvBxhYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0100896F
            Source: Joe Sandbox ViewIP Address: 40.97.128.194 40.97.128.194
            Source: global trafficHTTP traffic detected: GET /login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6MCq4h_2BQjlakLCK/wiH0Ze_2B/jucB0Ra6kWTVhbib9MO1/jbq6SBoLka4DWlxdGWZ/y4sF0OuALvDiDjUoj2_2B_/2FCnNAucowWTY/QocXWkvP/dNKrsXhuwJ0UrXUCqZRpNCx/r6rZ7E04g_/2B8ZRdIhu4yR4YZKp/tqA3A0JYvM/21FVchV.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: outlook.com
            Source: ~DF0D80EB75D4D79339.TMP.15.dr, {C4CF6A29-AD44-11EB-90E5-ECF4BB2D2496}.dat.15.drString found in binary or memory: https://outlook.office365.com/login/greed/dTdjBCYANBp89r_2BxCJb/gK6KRSDvLFl65FiM/sVGCJkg_2FiGctf/t6M
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
            Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1023A5 NtQueryVirtualMemory,0_2_6E1023A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10101B NtMapViewOfSection,3_2_6E10101B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E10145E GetProcAddress,NtCreateSection,memset,3_2_6E10145E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1023A5 NtQueryVirtualMemory,3_2_6E1023A5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01001724 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_01001724
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B301 NtQueryVirtualMemory,3_2_0100B301
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1021840_2_6E102184
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14AF510_2_6E14AF51
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1467000_2_6E146700
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E169DAE0_2_6E169DAE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E163A470_2_6E163A47
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E167AB10_2_6E167AB1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E154B3B0_2_6E154B3B
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E16035D0_2_6E16035D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1628C30_2_6E1628C3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14C1000_2_6E14C100
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1021843_2_6E102184
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010039773_2_01003977
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010080453_2_01008045
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010062D83_2_010062D8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B0DC3_2_0100B0DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14AF513_2_6E14AF51
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1467003_2_6E146700
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E169DAE3_2_6E169DAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E163A473_2_6E163A47
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E167AB13_2_6E167AB1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E154B3B3_2_6E154B3B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E16035D3_2_6E16035D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1628C33_2_6E1628C3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14C1003_2_6E14C100
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E14B2D0 appears 32 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E14B2D0 appears 32 times
            Source: iJdlvBxhYu.dllBinary or memory string: OriginalFilenameturn.dll8 vs iJdlvBxhYu.dll
            Source: iJdlvBxhYu.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: iJdlvBxhYu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal60.troj.winDLL@12/5@3/4
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_010024C7 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,3_2_010024C7
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C4CF6A27-AD44-11EB-90E5-ECF4BB2D2496}.datJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF222070F69DD5E09D.TMPJump to behavior
            Source: iJdlvBxhYu.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Enterbeen
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,Multiply
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,EnterbeenJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\iJdlvBxhYu.dll,MultiplyJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6728 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: iJdlvBxhYu.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: iJdlvBxhYu.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\364\Head\Fresh-Room\score_Several\turn.pdb source: loaddll32.exe, 00000000.00000002.593517225.000000006E16B000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.598022464.000000006E16B000.00000002.00020000.sdmp, iJdlvBxhYu.dll
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: iJdlvBxhYu.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10160D LoadLibraryA,GetProcAddress,0_2_6E10160D
            Source: iJdlvBxhYu.dllStatic PE information: real checksum: 0x8203c should be: 0x7fedb
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E102120 push ecx; ret 0_2_6E102129
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E102173 push ecx; ret 0_2_6E102183
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E11420E push es; ret 0_2_6E11420F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E11423B push ebx; ret 0_2_6E11424E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B315 push ecx; ret 0_2_6E14B328
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1143C5 push ebp; ret 0_2_6E1143CE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E18221D push eax; retf 0_2_6E182220
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E182BB6 push ecx; ret 0_2_6E182BD1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E102120 push ecx; ret 3_2_6E102129
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E102173 push ecx; ret 3_2_6E102183
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100AD10 push ecx; ret 3_2_0100AD19
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100B0CB push ecx; ret 3_2_0100B0DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E11420E push es; ret 3_2_6E11420F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E11423B push ebx; ret 3_2_6E11424E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E14B315 push ecx; ret 3_2_6E14B328
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1143C5 push ebp; ret 3_2_6E1143CE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E115842 push esp; ret 3_2_6E11588C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E18221D push eax; retf 3_2_6E182220
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E182BB6 push ecx; ret 3_2_6E182BD1

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_0100896F RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0100896F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14C6CB _memset,IsDebuggerPresent,0_2_6E14C6CB
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E152CFE ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E152CFE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E10160D LoadLibraryA,GetProcAddress,0_2_6E10160D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E181302 mov eax, dword ptr fs:[00000030h]0_2_6E181302
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E181238 mov eax, dword ptr fs:[00000030h]0_2_6E181238
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E180E3F push dword ptr fs:[00000030h]0_2_6E180E3F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E181302 mov eax, dword ptr fs:[00000030h]3_2_6E181302
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E181238 mov eax, dword ptr fs:[00000030h]3_2_6E181238
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E180E3F push dword ptr fs:[00000030h]3_2_6E180E3F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B830 GetProcessHeap,0_2_6E14B830
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E151090 SetUnhandledExceptionFilter,0_2_6E151090
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1510C1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E151090 SetUnhandledExceptionFilter,3_2_6E151090
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1510C1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1510C1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\iJdlvBxhYu.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: &Program Manager
            Source: loaddll32.exe, 00000000.00000002.592806107.0000000001490000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.593890848.0000000003640000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14B84D cpuid 0_2_6E14B84D
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E16770D
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6E1677BA
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E1675E3
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E151A40
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E167292
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E151AC6
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E1672EE
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E16736B
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E1673EE
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6E16701E
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6E15185F
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6E14A8B9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E16770D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,3_2_6E1677BA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E1675E3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E151A40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E167292
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E151AC6
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E1672EE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,3_2_6E16736B
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,3_2_6E1673EE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,3_2_6E16701E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,3_2_6E15185F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,3_2_6E14A8B9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E101D6E SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E101D6E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_01007EC1 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,3_2_01007EC1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E14CFA3 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_6E14CFA3
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E101800 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E101800

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000003.00000003.536297010.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536331315.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536410675.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536390845.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536247273.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536484271.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.595047356.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536426256.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000003.536360413.0000000005618000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6732, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete