Analysis Report c63f1121_by_Libranalysis

ID:	412403
Product:	CloudBasic
Start time:	17:12:28
Start date:	12.05.2021
Sample:	c63f1121_by_Libranalysis
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	c63f11211f899e38c1c230594024950a
SHA1:	4d5baeaf852156dbe8053a1c600c7d96049f5967
SHA256:	70f617d8686bdc7d17d4f3b992a27f2532686815aaf5289841b87fd0c198ff3a
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256

AV Detection:

Multi AV Scanner detection for submitted file

Source: c63f1121_by_Libranalysis.dll	Virustotal: Detection: 21%			Perma Link
Source: c63f1121_by_Libranalysis.dll	ReversingLabs: Detection: 10%

Compliance:

Uses 32bit PE files

Source: c63f1121_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: c63f1121_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: c:\start\populate-Been\early\Cell.pdb source: loaddll32.exe, 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.979819270.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.973298703.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.934749733.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.945802512.000000006D55E000.00000002.00020000.sdmp, c63f1121_by_Libranalysis.dll

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		1_2_6D546773
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5463B7 FindFirstFileExW,		1_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		3_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5463B7 FindFirstFileExW,		3_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		4_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5463B7 FindFirstFileExW,		4_2_6D5463B7

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

System Summary:

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D502485 NtQueryVirtualMemory,		3_2_6D502485
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D502485 NtQueryVirtualMemory,		4_2_6D502485

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53DDE0		1_2_6D53DDE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D553CA0		1_2_6D553CA0
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D551FD3		1_2_6D551FD3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53D96D		1_2_6D53D96D
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53E991		1_2_6D53E991
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D553870		1_2_6D553870
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53DB9F		1_2_6D53DB9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5594E3		1_2_6D5594E3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D54E490		1_2_6D54E490
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53E4B8		1_2_6D53E4B8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53E72C		1_2_6D53E72C
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5307FD		1_2_6D5307FD
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53E012		1_2_6D53E012
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5593C3		1_2_6D5593C3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D53E253		1_2_6D53E253
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D502264		3_2_6D502264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53DDE0		3_2_6D53DDE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5594E3		3_2_6D5594E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53E4B8		3_2_6D53E4B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53E72C		3_2_6D53E72C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5307FD		3_2_6D5307FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D55B94E		3_2_6D55B94E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53D96D		3_2_6D53D96D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53E991		3_2_6D53E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53E012		3_2_6D53E012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D553350		3_2_6D553350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5593C3		3_2_6D5593C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53DB9F		3_2_6D53DB9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D53E253		3_2_6D53E253
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D502264		4_2_6D502264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53DDE0		4_2_6D53DDE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5594E3		4_2_6D5594E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53E4B8		4_2_6D53E4B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53E72C		4_2_6D53E72C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5307FD		4_2_6D5307FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D55B94E		4_2_6D55B94E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53D96D		4_2_6D53D96D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53E991		4_2_6D53E991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53E012		4_2_6D53E012
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D553350		4_2_6D553350
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5593C3		4_2_6D5593C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53DB9F		4_2_6D53DB9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D53E253		4_2_6D53E253

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D548CA9 appears 32 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D52AEA0 appears 50 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D545A57 appears 44 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D52AEA0 appears 82 times

Sample file is different than original file name gathered from version info

Source: c63f1121_by_Libranalysis.dll

Binary or memory string: OriginalFilenameCell.dll8 vs c63f1121_by_Libranalysis.dll

Uses 32bit PE files

Source: c63f1121_by_Libranalysis.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Classification label

Source: classification engine

Classification label: mal56.troj.winDLL@11/0@0/0

PE file has an executable .text section and no other executable section

Source: c63f1121_by_Libranalysis.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4

Sample is known by Antivirus

Source: c63f1121_by_Libranalysis.dll	Virustotal: Detection: 21%
Source: c63f1121_by_Libranalysis.dll	ReversingLabs: Detection: 10%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Dark@@4			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Schoolpress@@8			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll,Triangleart@@8			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

PE file contains a mix of data directories often seen in goodware

Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c63f1121_by_Libranalysis.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: c63f1121_by_Libranalysis.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: c63f1121_by_Libranalysis.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\start\populate-Been\early\Cell.pdb source: loaddll32.exe, 00000001.00000002.967487955.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.979819270.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.973298703.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.934749733.000000006D55E000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.945802512.000000006D55E000.00000002.00020000.sdmp, c63f1121_by_Libranalysis.dll

PE file contains a valid data directory to section mapping

Source: c63f1121_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c63f1121_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c63f1121_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c63f1121_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c63f1121_by_Libranalysis.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D501F31 LoadLibraryA,GetProcAddress,

3_2_6D501F31

PE file contains an invalid checksum

Source: c63f1121_by_Libranalysis.dll

Static PE information: real checksum: 0x792ff should be: 0x83549

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D504FE6 push ds; iretd		1_2_6D504FF6
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D509EF3 push esp; retf		1_2_6D509EF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D50887D push ss; retf		1_2_6D508881
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D50AAC5 push FFFF7185h; iretd		1_2_6D50AACA
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D52A5CF push ecx; ret		1_2_6D52A5E2
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D50532C push edi; iretd		1_2_6D50532D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D502253 push ecx; ret		3_2_6D502263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D502200 push ecx; ret		3_2_6D502209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D52A5CF push ecx; ret		3_2_6D52A5E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D502253 push ecx; ret		4_2_6D502263
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D502200 push ecx; ret		4_2_6D502209
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D52A5CF push ecx; ret		4_2_6D52A5E2

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to enumerate / list files inside a directory

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		1_2_6D546773
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5463B7 FindFirstFileExW,		1_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		3_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5463B7 FindFirstFileExW,		3_2_6D5463B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D546773 FindFirstFileExW,FindNextFileW,FindClose,		4_2_6D546773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5463B7 FindFirstFileExW,		4_2_6D5463B7

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6D52AC9F

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D501F31 LoadLibraryA,GetProcAddress,

3_2_6D501F31

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545C5F mov eax, dword ptr fs:[00000030h]		1_2_6D545C5F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545C1B mov eax, dword ptr fs:[00000030h]		1_2_6D545C1B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545CD4 mov eax, dword ptr fs:[00000030h]		1_2_6D545CD4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545CA3 mov eax, dword ptr fs:[00000030h]		1_2_6D545CA3
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545B66 mov eax, dword ptr fs:[00000030h]		1_2_6D545B66
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545B0B mov eax, dword ptr fs:[00000030h]		1_2_6D545B0B
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545AC8 mov eax, dword ptr fs:[00000030h]		1_2_6D545AC8
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D545A85 mov eax, dword ptr fs:[00000030h]		1_2_6D545A85
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D537381 mov eax, dword ptr fs:[00000030h]		1_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545C5F mov eax, dword ptr fs:[00000030h]		3_2_6D545C5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545C1B mov eax, dword ptr fs:[00000030h]		3_2_6D545C1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545CD4 mov eax, dword ptr fs:[00000030h]		3_2_6D545CD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545CA3 mov eax, dword ptr fs:[00000030h]		3_2_6D545CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545B66 mov eax, dword ptr fs:[00000030h]		3_2_6D545B66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545B0B mov eax, dword ptr fs:[00000030h]		3_2_6D545B0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D537381 mov eax, dword ptr fs:[00000030h]		3_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545AC8 mov eax, dword ptr fs:[00000030h]		3_2_6D545AC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D545A85 mov eax, dword ptr fs:[00000030h]		3_2_6D545A85
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545C5F mov eax, dword ptr fs:[00000030h]		4_2_6D545C5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545C1B mov eax, dword ptr fs:[00000030h]		4_2_6D545C1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545CD4 mov eax, dword ptr fs:[00000030h]		4_2_6D545CD4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545CA3 mov eax, dword ptr fs:[00000030h]		4_2_6D545CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545B66 mov eax, dword ptr fs:[00000030h]		4_2_6D545B66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545B0B mov eax, dword ptr fs:[00000030h]		4_2_6D545B0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D537381 mov eax, dword ptr fs:[00000030h]		4_2_6D537381
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545AC8 mov eax, dword ptr fs:[00000030h]		4_2_6D545AC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D545A85 mov eax, dword ptr fs:[00000030h]		4_2_6D545A85

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6D52AC9F
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6D5369B4
Source: C:\Windows\System32\loaddll32.exe	Code function: 1_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_6D52B066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6D52AC9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		3_2_6D5369B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		3_2_6D52B066
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D52AC9F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6D52AC9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D5369B4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6D5369B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D52B066 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6D52B066

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c63f1121_by_Libranalysis.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 00000003.00000002.946005518.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.965930684.0000000003770000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.920545655.0000000003190000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.920545948.0000000003190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D52AABF cpuid

1_2_6D52AABF

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6D54ED30
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6D54EDCB
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6D54ECC7
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		1_2_6D54EE56
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6D548840
Source: C:\Windows\System32\loaddll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		1_2_6D54EA25
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,		1_2_6D548740
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6D549163
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		1_2_6D54F1CF
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6D54F0A9
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		1_2_6D54F3A4
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,		1_2_6D54F2D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		3_2_6D501566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6D54ED30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6D54EDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6D54ECC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		3_2_6D548740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		3_2_6D549163
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		3_2_6D54F1CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		3_2_6D54F3A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		3_2_6D54EA25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,		4_2_6D501566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6D54ED30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6D54EDCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6D54ECC7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,		4_2_6D548740
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,		4_2_6D549163
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		4_2_6D54F1CF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		4_2_6D54F3A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		4_2_6D54EA25

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 1_2_6D5491A2 GetSystemTimeAsFileTime,

1_2_6D5491A2

Contains functionality to query windows version

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6D50146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

3_2_6D50146C

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 3.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.6d500000.1.unpack, type: UNPACKEDPE