Analysis Report QDfpQK7SOG.dll

Overview

General Information

Sample Name: QDfpQK7SOG.dll
Analysis ID: 430230
MD5: 320192b545d3f45fd588b741c30fb2ec
SHA1: 807433d7c1f8c7629ebcafd9d2c4e6797c82ce16
SHA256: 2ee0e0b21737b7f9ecc613be83b7ec84560d0770f794a819afe64f54b0e7743b
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: QDfpQK7SOG.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: QDfpQK7SOG.dll Virustotal: Detection: 59% Perma Link
Source: QDfpQK7SOG.dll ReversingLabs: Detection: 65%

Compliance:

barindex
Uses 32bit PE files
Source: QDfpQK7SOG.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: QDfpQK7SOG.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000002.00000002.683594147.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690126193.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.691931847.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.697216102.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.686162523.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.696718223.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.664832906.000000006E22A000.00000002.00020000.sdmp, QDfpQK7SOG.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: QDfpQK7SOG.dll, type: SAMPLE
Source: Yara match File source: 0000001A.00000002.664721905.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.677279699.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.686115705.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.687931274.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.696642986.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.690715845.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.675775659.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 26.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000002.00000002.675698694.00000000010FB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: QDfpQK7SOG.dll, type: SAMPLE
Source: Yara match File source: 0000001A.00000002.664721905.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.677279699.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.686115705.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.687931274.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.696642986.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.690715845.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.675775659.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 26.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E3E00 2_2_6E1E3E00
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E1C3C 2_2_6E1E1C3C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E2167D9 2_2_6E2167D9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E2084BB 2_2_6E2084BB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E2202BC 2_2_6E2202BC
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E210396 2_2_6E210396
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1FE079 2_2_6E1FE079
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1F5150 2_2_6E1F5150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E3E00 4_2_6E1E3E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2167D9 4_2_6E2167D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E1C3C 4_2_6E1E1C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2084BB 4_2_6E2084BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2202BC 4_2_6E2202BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E210396 4_2_6E210396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1FE079 4_2_6E1FE079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1F5150 4_2_6E1F5150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E3E00 15_2_6E1E3E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E2167D9 15_2_6E2167D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E1C3C 15_2_6E1E1C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E2084BB 15_2_6E2084BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E2202BC 15_2_6E2202BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E210396 15_2_6E210396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1FE079 15_2_6E1FE079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1F5150 15_2_6E1F5150
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1E0990 appears 34 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1E00AC appears 100 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1E0990 appears 57 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1E00E0 appears 57 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1E00AC appears 199 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E2023A9 appears 35 times
Uses 32bit PE files
Source: QDfpQK7SOG.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal64.troj.winDLL@55/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5700:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7024:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_01
Source: QDfpQK7SOG.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Connectdark
Source: QDfpQK7SOG.dll Virustotal: Detection: 59%
Source: QDfpQK7SOG.dll ReversingLabs: Detection: 65%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Problemscale
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,WingGrass
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Connectdark Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Mindlake Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Porthigh Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,Problemscale Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\QDfpQK7SOG.dll,WingGrass Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: QDfpQK7SOG.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: QDfpQK7SOG.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000002.00000002.683594147.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.690126193.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.691931847.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000000F.00000002.697216102.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000012.00000002.686162523.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.696718223.000000006E22A000.00000002.00020000.sdmp, rundll32.exe, 0000001A.00000002.664832906.000000006E22A000.00000002.00020000.sdmp, QDfpQK7SOG.dll
Source: QDfpQK7SOG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: QDfpQK7SOG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: QDfpQK7SOG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: QDfpQK7SOG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: QDfpQK7SOG.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: QDfpQK7SOG.dll Static PE information: real checksum: 0xf3990 should be: 0xf1211
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E09D6 push ecx; ret 2_2_6E1E09E9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E0075 push ecx; ret 2_2_6E1E0088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E0075 push ecx; ret 4_2_6E1E0088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E09D6 push ecx; ret 4_2_6E1E09E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E0075 push ecx; ret 15_2_6E1E0088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E09D6 push ecx; ret 15_2_6E1E09E9

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: QDfpQK7SOG.dll, type: SAMPLE
Source: Yara match File source: 0000001A.00000002.664721905.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.677279699.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.686115705.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.687931274.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.696642986.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.690715845.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.675775659.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 26.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E201F6D
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E20966F mov eax, dword ptr fs:[00000030h] 2_2_6E20966F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E20966F mov eax, dword ptr fs:[00000030h] 4_2_6E20966F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E20966F mov eax, dword ptr fs:[00000030h] 15_2_6E20966F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E201F6D
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E1E07A7
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E1E0288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E201F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E1E07A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E1E0288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E201F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_6E201F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 15_2_6E1E07A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1E0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 15_2_6E1E0288

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\QDfpQK7SOG.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: loaddll32.exe, 00000002.00000002.675721619.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.664452445.0000000003200000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.687883244.0000000002F50000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.683862618.0000000003230000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.684399021.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.696572906.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.664660133.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000002.00000002.675721619.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.664452445.0000000003200000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.687883244.0000000002F50000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.683862618.0000000003230000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.684399021.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.696572906.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.664660133.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000002.00000002.675721619.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.664452445.0000000003200000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.687883244.0000000002F50000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.683862618.0000000003230000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.684399021.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.696572906.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.664660133.00000000030E0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000002.00000002.675721619.0000000001580000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.664452445.0000000003200000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.687883244.0000000002F50000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.683862618.0000000003230000.00000002.00000001.sdmp, rundll32.exe, 00000012.00000002.684399021.00000000031E0000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.696572906.00000000033A0000.00000002.00000001.sdmp, rundll32.exe, 0000001A.00000002.664660133.00000000030E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E0604 cpuid 2_2_6E1E0604
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 2_2_6E21DF65
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E21DD96
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 2_2_6E213952
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 2_2_6E21E61F
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E21E6EC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E21E518
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 2_2_6E214323
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoEx, 2_2_6E1DF364
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 2_2_6E21E3EF
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 2_2_6E21E00E
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 2_2_6E21E077
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 2_2_6E21E112
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 2_2_6E1DF1B7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E21E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E21E61F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E21E6EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E21DF65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E21E518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6E21DD96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E214323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 4_2_6E1DF364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E21E3EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E21E00E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E21E077
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E21E112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E213952
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E1DF1B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E21E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_6E21E61F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 15_2_6E21E6EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_6E21DF65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 15_2_6E21E518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 15_2_6E21DD96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_6E214323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 15_2_6E1DF364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_6E21E3EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_6E21E00E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_6E21E077
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_6E21E112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 15_2_6E213952
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 15_2_6E1DF1B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 15_2_6E21E19F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1C9A14 GetSystemTimeAsFileTime, 2_2_6E1C9A14
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E218951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 2_2_6E218951

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: QDfpQK7SOG.dll, type: SAMPLE
Source: Yara match File source: 0000001A.00000002.664721905.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.677279699.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.686115705.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.687931274.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.696642986.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.690715845.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.675775659.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 26.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: QDfpQK7SOG.dll, type: SAMPLE
Source: Yara match File source: 0000001A.00000002.664721905.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.677279699.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.686115705.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.687931274.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.696642986.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.690715845.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.675775659.000000006E1A1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 26.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.loaddll32.exe.6e1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.6e1a0000.1.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 2_2_6E1A16BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1A16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 4_2_6E1A16BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_6E1A16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 15_2_6E1A16BC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430230 Sample: QDfpQK7SOG.dll Startdate: 07/06/2021 Architecture: WINDOWS Score: 64 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 Yara detected  Ursnif 2->63 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        35 3 other processes 17->35 process6 51 2 other processes 19->51 37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        53 3 other processes 35->53 process7 55 conhost.exe 51->55         started        57 conhost.exe 51->57         started       
No contacted IP infos