Loading ...

Play interactive tourEdit tour

Analysis Report soft.dll

Overview

General Information

Sample Name:soft.dll
Analysis ID:430072
MD5:627c8a536ed728b1b9e6d2dad958ac0c
SHA1:03f6ab6dd415ca980cc0ab1f36f3d306e18c99bc
SHA256:10ab600004b40a318004a19a90374c6430dcf5b2219dda9e6e017a424e3e0503
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4760 cmdline: loaddll32.exe 'C:\Users\user\Desktop\soft.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 2292 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5348 cmdline: rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5328 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5908 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5912 cmdline: rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: soft.dllVirustotal: Detection: 13%Perma Link
Source: soft.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: soft.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\Until\moon\old-speak\bright\come.pdb source: loaddll32.exe, 00000000.00000002.526260148.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.505285261.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.491588581.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.498620240.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.533256829.000000006E234000.00000002.00020000.sdmp, soft.dll
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FEF8D FindFirstFileExW,0_2_6E1FEF8D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,0_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FEF8D FindFirstFileExW,3_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,3_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FEF8D FindFirstFileExW,6_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,6_2_6E1FF349

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E2485 NtQueryVirtualMemory,6_2_6E1E2485
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E210EFC0_2_6E210EFC
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E205F500_2_6E205F50
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1FD20_2_6E1F1FD2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1D6D0_2_6E1F1D6D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20EA210_2_6E20EA21
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F1AF90_2_6E1F1AF9
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E205B200_2_6E205B20
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E6BDF0_2_6E1E6BDF
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F18C70_2_6E1F18C7
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20E9010_2_6E20E901
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2056000_2_6E205600
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2066160_2_6E206616
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F16860_2_6E1F1686
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F14540_2_6E1F1454
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F12130_2_6E1F1213
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F22370_2_6E1F2237
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2042770_2_6E204277
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2130C40_2_6E2130C4
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2091100_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E210EFC3_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E205F503_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F1FD23_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F1D6D3_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20EA213_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F1AF93_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E205B203_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E6BDF3_2_6E1E6BDF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F18C73_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E20E9013_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2056003_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2066163_2_6E206616
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F16863_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F14543_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F12133_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F22373_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2042773_2_6E204277
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2130C43_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E2091103_2_6E209110
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E22646_2_6E1E2264
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E2056006_2_6E205600
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F16866_2_6E1F1686
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E210EFC6_2_6E210EFC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E205F506_2_6E205F50
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F1FD26_2_6E1F1FD2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F14546_2_6E1F1454
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F1D6D6_2_6E1F1D6D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E20EA216_2_6E20EA21
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F12136_2_6E1F1213
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F22376_2_6E1F2237
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F1AF96_2_6E1F1AF9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E205B206_2_6E205B20
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F18C76_2_6E1F18C7
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E2130C46_2_6E2130C4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E20E9016_2_6E20E901
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E2091106_2_6E209110
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1E33B0 appears 59 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E1FE6CA appears 32 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1E33B0 appears 60 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1F8C8A appears 54 times
Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E1FE6CA appears 63 times
Source: soft.dllBinary or memory string: OriginalFilenamecome.dllx, vs soft.dll
Source: soft.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engineClassification label: mal56.troj.winDLL@11/0@0/0
Source: soft.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: soft.dllVirustotal: Detection: 13%
Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\soft.dll'
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Bottomget
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Groupshop
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,Stoodbroad
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1Jump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,BottomgetJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,GroupshopJump to behavior
Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\soft.dll,StoodbroadJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: soft.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
Source: soft.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Until\moon\old-speak\bright\come.pdb source: loaddll32.exe, 00000000.00000002.526260148.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.505285261.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.491588581.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.498620240.000000006E234000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.533256829.000000006E234000.00000002.00020000.sdmp, soft.dll
Source: soft.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: soft.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: soft.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: soft.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: soft.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress,6_2_6E1E1F31
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E216E00 push ecx; mov dword ptr [esp], ecx0_2_6E216E01
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E33F6 push ecx; ret 0_2_6E1E3409
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E216E00 push ecx; mov dword ptr [esp], ecx3_2_6E216E01
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E212342 push ecx; ret 3_2_6E212355
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E33F6 push ecx; ret 3_2_6E1E3409
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E2200 push ecx; ret 6_2_6E1E2209
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E2253 push ecx; ret 6_2_6E1E2263
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E216E00 push ecx; mov dword ptr [esp], ecx6_2_6E216E01

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\loaddll32.exeAPI coverage: 4.6 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 2.8 %
Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 1.1 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FEF8D FindFirstFileExW,0_2_6E1FEF8D
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,0_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FEF8D FindFirstFileExW,3_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,3_2_6E1FF349
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FEF8D FindFirstFileExW,6_2_6E1FEF8D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FF349 FindFirstFileExW,FindNextFileW,FindClose,6_2_6E1FF349
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E20DE00 IsDebuggerPresent,OutputDebugStringW,0_2_6E20DE00
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E1F31 LoadLibraryA,GetProcAddress,6_2_6E1E1F31
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE88E mov eax, dword ptr fs:[00000030h]0_2_6E1FE88E
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]0_2_6E1FE8D2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE916 mov eax, dword ptr fs:[00000030h]0_2_6E1FE916
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE947 mov eax, dword ptr fs:[00000030h]0_2_6E1FE947
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F567F mov eax, dword ptr fs:[00000030h]0_2_6E1F567F
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]0_2_6E1FE6F8
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]0_2_6E1F5704
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE73B mov eax, dword ptr fs:[00000030h]0_2_6E1FE73B
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE77E mov eax, dword ptr fs:[00000030h]0_2_6E1FE77E
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]0_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE88E mov eax, dword ptr fs:[00000030h]3_2_6E1FE88E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]3_2_6E1FE8D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE916 mov eax, dword ptr fs:[00000030h]3_2_6E1FE916
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE947 mov eax, dword ptr fs:[00000030h]3_2_6E1FE947
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F567F mov eax, dword ptr fs:[00000030h]3_2_6E1F567F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]3_2_6E1FE6F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]3_2_6E1F5704
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE73B mov eax, dword ptr fs:[00000030h]3_2_6E1FE73B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE77E mov eax, dword ptr fs:[00000030h]3_2_6E1FE77E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]3_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F567F mov eax, dword ptr fs:[00000030h]6_2_6E1F567F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE6F8 mov eax, dword ptr fs:[00000030h]6_2_6E1FE6F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F5704 mov ecx, dword ptr fs:[00000030h]6_2_6E1F5704
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE73B mov eax, dword ptr fs:[00000030h]6_2_6E1FE73B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE77E mov eax, dword ptr fs:[00000030h]6_2_6E1FE77E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE7D9 mov eax, dword ptr fs:[00000030h]6_2_6E1FE7D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE88E mov eax, dword ptr fs:[00000030h]6_2_6E1FE88E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE8D2 mov eax, dword ptr fs:[00000030h]6_2_6E1FE8D2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE916 mov eax, dword ptr fs:[00000030h]6_2_6E1FE916
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1FE947 mov eax, dword ptr fs:[00000030h]6_2_6E1FE947
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E201302 GetProcessHeap,0_2_6E201302
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1F4EA3
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6E1E2918
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E32F2 SetUnhandledExceptionFilter,0_2_6E1E32F2
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E1E315D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1F4EA3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E2918 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_6E1E2918
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E32F2 SetUnhandledExceptionFilter,3_2_6E1E32F2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_6E1E315D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_6E1E315D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1F4EA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_6E1F4EA3
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\soft.dll',#1Jump to behavior
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmpBinary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.518573177.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.485605241.0000000003940000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.471146263.0000000003110000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.476241599.0000000002F10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.526958958.0000000003310000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E340B cpuid 0_2_6E1E340B
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E209E4F
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E209F55
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E209D29
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E209A4B
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6E209AD6
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E1F8821
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E209947
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E2099B0
Source: C:\Windows\System32\loaddll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6E2096A5
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E1F8721
Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E1F87F8
Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6E20A024
Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_6E209E4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E209F55
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E209D29
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E209A4B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_6E209AD6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E1F8821
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E209947
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E2099B0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_6E2096A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E1F8721
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,3_2_6E1F87F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_6E20A024
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,3_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,6_2_6E1E1566
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,6_2_6E209E4F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,6_2_6E2096A5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1F8721
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6E209F55
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1F87F8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6E209D29
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E209A4B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,6_2_6E209AD6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_6E20A024
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E1F8821
Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,6_2_6E1F9144
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E209947
Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,6_2_6E2099B0
Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1E3080 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6E1E3080
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_6E1E146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,6_2_6E1E146C

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 6.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsNative API1Path InterceptionProcess Injection12Rundll321OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSFile and Directory Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsSystem Information Discovery23SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430072 Sample: soft.dll Startdate: 06/06/2021 Architecture: WINDOWS Score: 56 19 Multi AV Scanner detection for submitted file 2->19 21 Yara detected  Ursnif 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 rundll32.exe 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        process5 17 rundll32.exe 9->17         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.