Analysis Report A5uTdwOwJ1.dll

Overview

General Information

Sample Name: A5uTdwOwJ1.dll
Analysis ID: 410913
MD5: 1752fe2b8419be8241ecd08859a5800f
SHA1: eb7346a6d5a53ddaf8fd073f266c64d642b40a7d
SHA256: e81869620b9a18c3702c7be2fcf2e170cbc5c3de1ddbc84ae1fe190b57e917a0
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Ursnif
Writes registry values via WMI
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0.3.loaddll32.exe.f9a427.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: A5uTdwOwJ1.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: A5uTdwOwJ1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.933350818.000000006D4CB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.934697634.000000006D4CB000.00000002.00020000.sdmp, A5uTdwOwJ1.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 0_2_6D4A5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B64C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_02B64C3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 3_2_6D4A5AB0

Software Vulnerabilities:

barindex
Allocates a big amount of memory (probably used for heap spraying)
Source: iexplore.exe Memory has grown: Private usage: 0MB later: 5MB
Source: unknown DNS traffic detected: queries for: outlook.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.933933475.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.932987717.000000000106B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.933933475.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4323A5 NtQueryVirtualMemory, 0_2_6D4323A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4315F1 GetProcAddress,NtCreateSection,memset, 3_2_6D4315F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D431F14 NtMapViewOfSection, 3_2_6D431F14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4323A5 NtQueryVirtualMemory, 3_2_6D4323A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B61168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_02B61168
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B6B2F1 NtQueryVirtualMemory, 3_2_02B6B2F1
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D432184 0_2_6D432184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D432184 3_2_6D432184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B6B0CC 3_2_02B6B0CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B6696A 3_2_02B6696A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B61B6A 3_2_02B61B6A
Sample file is different than original file name gathered from version info
Source: A5uTdwOwJ1.dll Binary or memory string: OriginalFilenamefall.dll8 vs A5uTdwOwJ1.dll
Uses 32bit PE files
Source: A5uTdwOwJ1.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal60.troj.winDLL@14/4@3/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B67F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_02B67F56
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FA9A4670-B247-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF7A757557FCA01EC0.TMP Jump to behavior
Source: A5uTdwOwJ1.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Hundredpopulate@@8
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Hundredpopulate@@8
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Mark@@12
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Seefit@@8
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4640 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Hundredpopulate@@8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Mark@@12 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\A5uTdwOwJ1.dll,Seefit@@8 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4640 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: A5uTdwOwJ1.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: A5uTdwOwJ1.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\die\Oh\ease_Slip\Suffix\fall.pdb source: loaddll32.exe, 00000000.00000002.933350818.000000006D4CB000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.934697634.000000006D4CB000.00000002.00020000.sdmp, A5uTdwOwJ1.dll
Source: A5uTdwOwJ1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: A5uTdwOwJ1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: A5uTdwOwJ1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: A5uTdwOwJ1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: A5uTdwOwJ1.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4317FA LoadLibraryA,GetProcAddress, 0_2_6D4317FA
PE file contains an invalid checksum
Source: A5uTdwOwJ1.dll Static PE information: real checksum: 0xdacb0 should be: 0xd9de3
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D432173 push ecx; ret 0_2_6D432183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D432120 push ecx; ret 0_2_6D432129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D5006DB push ebp; retf 0000h 0_2_6D5006DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D432173 push ecx; ret 3_2_6D432183
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D432120 push ecx; ret 3_2_6D432129
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B6B0BB push ecx; ret 3_2_02B6B0CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B6AD00 push ecx; ret 3_2_02B6AD09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D5006DB push ebp; retf 0000h 3_2_6D5006DC

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.933933475.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORY
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4611D0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6D4611D0
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 0_2_6D4A5AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B64C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_02B64C3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A5AB0 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW, 3_2_6D4A5AB0

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D474F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D474F60
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A0480 __invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__aligned_msize,__invoke_watson_if_error,__cftoe,__aligned_msize,__invoke_watson_if_error,GetFileType,WriteConsoleW,GetLastError,__cftoe,WriteFile,WriteFile,OutputDebugStringW,__invoke_watson_if_error,__CrtDbgReportWV, 0_2_6D4A0480
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4317FA LoadLibraryA,GetProcAddress, 0_2_6D4317FA
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A4D80 mov ecx, dword ptr fs:[00000030h] 0_2_6D4A4D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A4CE0 mov ecx, dword ptr fs:[00000030h] 0_2_6D4A4CE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4A4E20 mov ecx, dword ptr fs:[00000030h] 0_2_6D4A4E20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D477960 mov eax, dword ptr fs:[00000030h] 0_2_6D477960
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4FC536 mov eax, dword ptr fs:[00000030h] 0_2_6D4FC536
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4FC46C mov eax, dword ptr fs:[00000030h] 0_2_6D4FC46C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4FC073 push dword ptr fs:[00000030h] 0_2_6D4FC073
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A4D80 mov ecx, dword ptr fs:[00000030h] 3_2_6D4A4D80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A4CE0 mov ecx, dword ptr fs:[00000030h] 3_2_6D4A4CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4A4E20 mov ecx, dword ptr fs:[00000030h] 3_2_6D4A4E20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D477960 mov eax, dword ptr fs:[00000030h] 3_2_6D477960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FC536 mov eax, dword ptr fs:[00000030h] 3_2_6D4FC536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FC46C mov eax, dword ptr fs:[00000030h] 3_2_6D4FC46C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4FC073 push dword ptr fs:[00000030h] 3_2_6D4FC073
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D474F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D474F60
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4636C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4636C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D463990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D463990
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4638F0 SetUnhandledExceptionFilter, 0_2_6D4638F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D474F60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D474F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4636C0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D4636C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D463990 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D463990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4638F0 SetUnhandledExceptionFilter, 3_2_6D4638F0

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\A5uTdwOwJ1.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.933070548.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.933475448.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.933070548.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.933475448.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.933070548.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.933475448.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.933070548.0000000001620000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.933475448.0000000002FF0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B62D6E cpuid 3_2_02B62D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D431237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6D431237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02B62D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_02B62D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D431CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D431CDD

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.933933475.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000002.933933475.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 7076, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 410913 Sample: A5uTdwOwJ1.dll Startdate: 11/05/2021 Architecture: WINDOWS Score: 60 25 www.outlook.com 2->25 27 outlook.office365.com 2->27 29 4 other IPs or domains 2->29 31 Found malware configuration 2->31 33 Yara detected  Ursnif 2->33 8 loaddll32.exe 1 2->8         started        10 iexplore.exe 1 49 2->10         started        signatures3 process4 process5 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        21 iexplore.exe 24 10->21         started        signatures6 35 Writes registry values via WMI 12->35 23 rundll32.exe 15->23         started        process7
No contacted IP infos

Contacted Domains

Name IP Active
outlook.com 40.97.116.82 true
HHN-efz.ms-acdc.office.com 40.101.138.210 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown