Analysis Report kZcCqvNtWa.dll

Overview

General Information

Sample Name: kZcCqvNtWa.dll
Analysis ID: 412159
MD5: b9b732dbc6f94c79b5767eb98ebd899a
SHA1: 984a3ba5d4fe06265ce23cec82bda6a63b2bb3bc
SHA256: 1a0d4b328438a72cee012f6387825d942463b896fadc13f2c17e8d005f510cd4
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 5.3.rundll32.exe.d2a427.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: kZcCqvNtWa.dll ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: kZcCqvNtWa.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: kZcCqvNtWa.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.480778808.000000006E289000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.479153934.000000006E289000.00000002.00020000.sdmp, kZcCqvNtWa.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_001D4C3B
Source: unknown DNS traffic detected: queries for: outlook.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241F14 NtMapViewOfSection, 0_2_6E241F14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2415F1 GetProcAddress,NtCreateSection,memset, 0_2_6E2415F1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2423A5 NtQueryVirtualMemory, 0_2_6E2423A5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D1168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_001D1168
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DB2F1 NtQueryVirtualMemory, 0_2_001DB2F1
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E242184 0_2_6E242184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DB0CC 0_2_001DB0CC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D696A 0_2_001D696A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D1B6A 0_2_001D1B6A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E278960 0_2_6E278960
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E282153 0_2_6E282153
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E278960 3_2_6E278960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E282153 3_2_6E282153
Sample file is different than original file name gathered from version info
Source: kZcCqvNtWa.dll Binary or memory string: OriginalFilenameTail.dll0 vs kZcCqvNtWa.dll
Uses 32bit PE files
Source: kZcCqvNtWa.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: kZcCqvNtWa.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal76.troj.winDLL@14/4@3/0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D7F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_001D7F56
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFE4F68CE1A440F339.TMP Jump to behavior
Source: kZcCqvNtWa.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing
Source: kZcCqvNtWa.dll ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Eithernothing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Order Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\kZcCqvNtWa.dll,Smileschool Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: kZcCqvNtWa.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.480778808.000000006E289000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.479153934.000000006E289000.00000002.00020000.sdmp, kZcCqvNtWa.dll
Source: kZcCqvNtWa.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: kZcCqvNtWa.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: kZcCqvNtWa.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: kZcCqvNtWa.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: kZcCqvNtWa.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress, 0_2_6E2417FA
PE file contains an invalid checksum
Source: kZcCqvNtWa.dll Static PE information: real checksum: 0x84de2 should be: 0x8037c
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E242120 push ecx; ret 0_2_6E242129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E242173 push ecx; ret 0_2_6E242183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DB0BB push ecx; ret 0_2_001DB0CB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001DAD00 push ecx; ret 0_2_001DAD09
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E282761 push ecx; ret 0_2_6E282774
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E254348 push ss; ret 0_2_6E25434B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E25778D pushfd ; ret 0_2_6E2577AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E252F9A push edi; retf 0_2_6E252FA4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E252C15 push ebp; retf 0_2_6E252C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E282761 push ecx; ret 3_2_6E282774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E254348 push ss; ret 3_2_6E25434B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E25778D pushfd ; ret 3_2_6E2577AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E252F9A push edi; retf 3_2_6E252FA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E252C15 push ebp; retf 3_2_6E252C16

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D4C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_001D4C3B

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E28636F
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2417FA LoadLibraryA,GetProcAddress, 0_2_6E2417FA
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2B5770 mov eax, dword ptr fs:[00000030h] 0_2_6E2B5770
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2B56A6 mov eax, dword ptr fs:[00000030h] 0_2_6E2B56A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2B52AD push dword ptr fs:[00000030h] 0_2_6E2B52AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2B5770 mov eax, dword ptr fs:[00000030h] 3_2_6E2B5770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2B56A6 mov eax, dword ptr fs:[00000030h] 3_2_6E2B56A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2B52AD push dword ptr fs:[00000030h] 3_2_6E2B52AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E282F08
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E28636F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E28150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E282F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E282F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E28636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E28636F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E28150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E28150C

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\kZcCqvNtWa.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.476337684.0000000001240000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.477553156.0000000003910000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D2D6E cpuid 0_2_001D2D6E
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_6E287660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_6E287660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E241237
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_001D2D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_001D2D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E241CDD

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.477098512.0000000002FA8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 1956, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 412159 Sample: kZcCqvNtWa.dll Startdate: 12/05/2021 Architecture: WINDOWS Score: 76 25 www.outlook.com 2->25 27 outlook.office365.com 2->27 29 4 other IPs or domains 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Yara detected  Ursnif 2->35 37 Machine Learning detection for sample 2->37 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 59 2->11         started        signatures3 process4 signatures5 39 Writes or reads registry keys via WMI 8->39 41 Writes registry values via WMI 8->41 13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        19 rundll32.exe 8->19         started        21 iexplore.exe 7 11->21         started        process6 process7 23 rundll32.exe 13->23         started       
No contacted IP infos

Contacted Domains

Name IP Active
outlook.com 40.97.153.146 true
HHN-efz.ms-acdc.office.com 52.98.171.226 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown