Analysis Report nT5pUwoJSS.dll

Overview

General Information

Sample Name: nT5pUwoJSS.dll
Analysis ID: 412166
MD5: 6fdbd25f7a84da80ee9d8577122c3291
SHA1: 39a52cbc48be934cf953d4699e8a1ea5ff53a5bf
SHA256: 4bf6e9d4067cb905631ddf7452ac571c4ed9800c7eb8fc7e51b688e1154f52e3
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
IP address seen in connection with other malware
One or more processes crash
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 2.3.rundll32.exe.2c3a427.0.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "KujE77ctKyR8x3/dODwZbEsxGmck+FW9384s5u0Kacw8y1gCN+8m2bfjJPovkn+Uzufcdfss+a43eI6oHR1KgWQmvEAO6LK8tJv+Wl7iCBPJP7eef8xKeXht/Mhk1PSj7mHnJ9lcqKMtTteEdSecVvMRtb/WSKVTFfHDva9My7AJ/NbXqHdzCG7znACswLxD", "c2_domain": ["outlook.com/login", "gmail.com", "worunekulo.club", "horunekulo.website"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: nT5pUwoJSS.dll ReversingLabs: Detection: 21%
Machine Learning detection for sample
Source: nT5pUwoJSS.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: nT5pUwoJSS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C84C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_02C84C3B

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.153.146 40.97.153.146
Source: global traffic HTTP traffic detected: GET /login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: WerFault.exe, 0000000E.00000003.889153103.0000000005072000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: {4BD5DCDF-B312-11EB-90EB-ECF4BBEA1588}.dat.17.dr String found in binary or memory: https://outlook.office365.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.909557678.00000000012EB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4823A5 NtQueryVirtualMemory, 0_2_6D4823A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4815F1 GetProcAddress,NtCreateSection,memset, 3_2_6D4815F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D481F14 NtMapViewOfSection, 3_2_6D481F14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4823A5 NtQueryVirtualMemory, 3_2_6D4823A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C81168 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_02C81168
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C8B2F1 NtQueryVirtualMemory, 3_2_02C8B2F1
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D482184 0_2_6D482184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4B8960 0_2_6D4B8960
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C2153 0_2_6D4C2153
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D482184 3_2_6D482184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C8B0CC 3_2_02C8B0CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C8696A 3_2_02C8696A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C81B6A 3_2_02C81B6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4B8960 3_2_6D4B8960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C2153 3_2_6D4C2153
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892
Sample file is different than original file name gathered from version info
Source: nT5pUwoJSS.dll Binary or memory string: OriginalFilenameTail.dll0 vs nT5pUwoJSS.dll
Uses 32bit PE files
Source: nT5pUwoJSS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: nT5pUwoJSS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal72.troj.winDLL@15/9@3/3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C87F56 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_02C87F56
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4BD5DCDD-B312-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6992
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER8EB1.tmp Jump to behavior
Source: nT5pUwoJSS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing
Source: nT5pUwoJSS.dll ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6992 -s 892
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Eithernothing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Order Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\nT5pUwoJSS.dll,Smileschool Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5516 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nT5pUwoJSS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb+ source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000E.00000003.871565860.00000000032AE000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb4h source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000E.00000003.877259368.00000000054C3000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: c:\Tube-meet\585\straight\lift\38_Claim\Tail.pdb source: loaddll32.exe, 00000000.00000002.910074848.000000006D4C9000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.911410296.000000006D4C9000.00000002.00020000.sdmp, nT5pUwoJSS.dll
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb4a source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000E.00000003.877169719.00000000054B2000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000E.00000003.877239660.00000000054B5000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000E.00000003.877178241.00000000054B8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000E.00000003.877150274.00000000053A1000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb7` source: WerFault.exe, 0000000E.00000003.877231767.00000000054B0000.00000004.00000040.sdmp
Source: nT5pUwoJSS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nT5pUwoJSS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nT5pUwoJSS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nT5pUwoJSS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nT5pUwoJSS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4817FA LoadLibraryA,GetProcAddress, 0_2_6D4817FA
PE file contains an invalid checksum
Source: nT5pUwoJSS.dll Static PE information: real checksum: 0x84de2 should be: 0x84de4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D482173 push ecx; ret 0_2_6D482183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D482120 push ecx; ret 0_2_6D482129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492C15 push ebp; retf 0_2_6D492C16
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D494348 push ss; ret 0_2_6D49434B
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C2761 push ecx; ret 0_2_6D4C2774
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D49778D pushfd ; ret 0_2_6D4977AB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D492F9A push edi; retf 0_2_6D492FA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D482173 push ecx; ret 3_2_6D482183
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D482120 push ecx; ret 3_2_6D482129
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C8B0BB push ecx; ret 3_2_02C8B0CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C8AD00 push ecx; ret 3_2_02C8AD09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D492C15 push ebp; retf 3_2_6D492C16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D494348 push ss; ret 3_2_6D49434B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C2761 push ecx; ret 3_2_6D4C2774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D49778D pushfd ; ret 3_2_6D4977AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D492F9A push edi; retf 3_2_6D492FA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_06B3F7B4 push 776EF672h; iretd 4_2_06B3F7E5

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C84C3B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 3_2_02C84C3B
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000000E.00000003.889249389.0000000005046000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000000E.00000002.892437315.0000000005110000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C150C
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4817FA LoadLibraryA,GetProcAddress, 0_2_6D4817FA
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F5770 mov eax, dword ptr fs:[00000030h] 0_2_6D4F5770
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F56A6 mov eax, dword ptr fs:[00000030h] 0_2_6D4F56A6
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4F52AD push dword ptr fs:[00000030h] 0_2_6D4F52AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4F5770 mov eax, dword ptr fs:[00000030h] 3_2_6D4F5770
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4F56A6 mov eax, dword ptr fs:[00000030h] 3_2_6D4F56A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4F52AD push dword ptr fs:[00000030h] 3_2_6D4F52AD
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C150C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6D4C636F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6D4C2F08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C150C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D4C150C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C636F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6D4C636F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6D4C2F08 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6D4C2F08

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\nT5pUwoJSS.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.909717516.0000000001870000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.910277829.0000000003140000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C82D6E cpuid 3_2_02C82D6E
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_6D4C7660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 3_2_6D4C7660
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D481237 SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,GetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6D481237
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02C82D6E RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_02C82D6E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6D481CDD CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6D481CDD

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.881584954.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881638380.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881444184.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881614039.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881537844.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881689753.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881502007.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.881360850.00000000050E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6960, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 412166 Sample: nT5pUwoJSS.dll Startdate: 12/05/2021 Architecture: WINDOWS Score: 72 33 Found malware configuration 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 Yara detected  Ursnif 2->37 39 Machine Learning detection for sample 2->39 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 1 50 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 rundll32.exe 7->14         started        16 cmd.exe 1 7->16         started        18 rundll32.exe 7->18         started        20 iexplore.exe 24 9->20         started        dnsIp5 41 Writes registry values via WMI 11->41 23 WerFault.exe 23 9 14->23         started        25 rundll32.exe 16->25         started        27 40.101.137.82, 443, 49758, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->27 29 outlook.com 40.97.153.146, 443, 49753, 49754 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 20->29 31 5 other IPs or domains 20->31 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.97.233.66
 HHN-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.101.137.82
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.97.153.146
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
outlook.com 40.97.153.146 true
HHN-efz.ms-acdc.office.com 52.97.233.66 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://outlook.com/login/greed/KnH9H6Qjc_2F7/0e3_2F0_/2FRqQPyOKs18rFK5waVCGCI/jIBCBbgDdF/18TiURZdioL3eU4Wc/SUXArexakZ5d/R0lDxIGeIYj/c6FwtLcTr3EmEj/nbrTM1t_2BdTxREGmfFhs/_2BnTf5cT9dEAnPd/AFLbs3lARk22SMJ/POUz7dti2oyFXHE3_2/FgEVGs1vD/4LhoHpnAxyp/chUrsX.gfk false
    		high