Analysis Report 609a460e94791.tiff.dll

Overview

General Information

Sample Name: 609a460e94791.tiff.dll
Analysis ID: 410818
MD5: 50a299d1e92d9205e123404c8e05904d
SHA1: c188272ab757dbbf14e74781fc90fcefe4aeb615
SHA256: 3b56b7298c366a323d28658a455abf0d4e78fa197a43ce13bedab05f26901d34
Tags: BRTdllgeogoziisfbitaursnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.4c894a0.3.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: 609a460e94791.tiff.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 609a460e94791.tiff.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000001.00000002.727825463.000000006E20B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.730325292.000000006E20B000.00000002.00020000.sdmp, 609a460e94791.tiff.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 1_2_6E1E5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_02C94C3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 4_2_6E1E5AB0

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.161.50 40.97.161.50
Source: global traffic HTTP traffic detected: GET /login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: ~DF6A2029352AAD8EB0.TMP.18.dr, {7A4756FC-B284-11EB-90E5-ECF4BB2D2496}.dat.18.dr String found in binary or memory: https://outlook.office365.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBa
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000002.722729913.00000000016AB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E171F14 NtMapViewOfSection, 1_2_6E171F14
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1715F1 GetProcAddress,NtCreateSection,memset, 1_2_6E1715F1
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1723A5 NtQueryVirtualMemory, 1_2_6E1723A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C91168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_02C91168
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C9B2F1 NtQueryVirtualMemory, 4_2_02C9B2F1
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E172184 1_2_6E172184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C9B0CC 4_2_02C9B0CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C9696A 4_2_02C9696A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C91B6A 4_2_02C91B6A
Sample file is different than original file name gathered from version info
Source: 609a460e94791.tiff.dll Binary or memory string: OriginalFilenamefall.dll8 vs 609a460e94791.tiff.dll
Uses 32bit PE files
Source: 609a460e94791.tiff.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal64.troj.winDLL@14/5@3/3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C97F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 4_2_02C97F56
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7A4756FA-B284-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF745550B0ECD73E02.TMP Jump to behavior
Source: 609a460e94791.tiff.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Hundredpopulate@@8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Mark@@12 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\609a460e94791.tiff.dll,Seefit@@8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5436 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 609a460e94791.tiff.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 609a460e94791.tiff.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000001.00000002.727825463.000000006E20B000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.730325292.000000006E20B000.00000002.00020000.sdmp, 609a460e94791.tiff.dll
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 609a460e94791.tiff.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress, 1_2_6E1717FA
PE file contains an invalid checksum
Source: 609a460e94791.tiff.dll Static PE information: real checksum: 0xdacb0 should be: 0xd1c24
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E172120 push ecx; ret 1_2_6E172129
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E172173 push ecx; ret 1_2_6E172183
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E2406DB push ebp; retf 0000h 1_2_6E2406DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C9B0BB push ecx; ret 4_2_02C9B0CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C9AD00 push ecx; ret 4_2_02C9AD09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2406DB push ebp; retf 0000h 4_2_6E2406DC

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1A11D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_6E1A11D0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 1_2_6E1E5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C94C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_02C94C3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 4_2_6E1E5AB0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E1A36C0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 1_2_6E1E0480
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1717FA LoadLibraryA,GetProcAddress, 1_2_6E1717FA
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h] 1_2_6E1E4E20
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h] 1_2_6E1E4CE0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h] 1_2_6E1E4D80
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B7960 mov eax, dword ptr fs:[00000030h] 1_2_6E1B7960
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E23C536 mov eax, dword ptr fs:[00000030h] 1_2_6E23C536
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E23C46C mov eax, dword ptr fs:[00000030h] 1_2_6E23C46C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E23C073 push dword ptr fs:[00000030h] 1_2_6E23C073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E4E20 mov ecx, dword ptr fs:[00000030h] 4_2_6E1E4E20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E4CE0 mov ecx, dword ptr fs:[00000030h] 4_2_6E1E4CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E4D80 mov ecx, dword ptr fs:[00000030h] 4_2_6E1E4D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1B7960 mov eax, dword ptr fs:[00000030h] 4_2_6E1B7960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23C536 mov eax, dword ptr fs:[00000030h] 4_2_6E23C536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23C46C mov eax, dword ptr fs:[00000030h] 4_2_6E23C46C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23C073 push dword ptr fs:[00000030h] 4_2_6E23C073
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E1A36C0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E1B4F60
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1A38F0 SetUnhandledExceptionFilter, 1_2_6E1A38F0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_6E1A3990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1A36C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E1A36C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1B4F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E1B4F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1A38F0 SetUnhandledExceptionFilter, 4_2_6E1A38F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1A3990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E1A3990

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\609a460e94791.tiff.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000001.00000002.723307341.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.724383239.00000000031B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C92D6E cpuid 4_2_02C92D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E171237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 1_2_6E171237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02C92D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 4_2_02C92D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E171CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_6E171CDD

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.662417377.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681209868.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.724251151.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662378098.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662456772.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681069818.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662317153.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681166678.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662182472.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662498468.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681184112.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681198469.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662484640.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681099453.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681146524.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.662019943.0000000003EA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.681124435.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.725706595.0000000005148000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6660, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6700, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 410818 Sample: 609a460e94791.tiff.dll Startdate: 11/05/2021 Architecture: WINDOWS Score: 64 32 Found malware configuration 2->32 34 Yara detected  Ursnif 2->34 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 51 2->10         started        process3 signatures4 36 Writes or reads registry keys via WMI 7->36 38 Writes registry values via WMI 7->38 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 rundll32.exe 7->19         started        21 iexplore.exe 24 10->21         started        process5 dnsIp6 40 Writes registry values via WMI 12->40 24 rundll32.exe 15->24         started        26 FRA-efz.ms-acdc.office.com 40.101.12.82, 443, 49737, 49738 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->26 28 outlook.com 40.97.161.50, 443, 49732, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->28 30 5 other IPs or domains 21->30 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.97.201.34
 HHN-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.97.161.50
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.101.12.82
 FRA-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
outlook.com 40.97.161.50 true
HHN-efz.ms-acdc.office.com 52.97.201.34 true
FRA-efz.ms-acdc.office.com 40.101.12.82 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://outlook.com/login/greed/gx9NI4Ybpp/8F85m84ndjn4UwJSZ/KFY_2BxmUPMy/coa0QUktAbb/vjBaicl7yvyNDs/NaAVAq9mPnbNTlKz1AUy2/5aIKWQiZNRBNaijS/Tt5Vo5dnaNIMeJI/Piqfb55cpfCEI8CpHK/_2FWICMIW/YUkQnOfGVld1SPd1rTnm/w0s_2F9NNcplFjkZ_2F/ufX9zF863VCJiOMFbmL1SV/K4t8NhPa8Lg/cl7PdmL.gfk false
    		high