Analysis Report HP7cjYBnlS

Overview

General Information

Sample Name: HP7cjYBnlS (renamed file extension from none to dll)
Analysis ID: 430819
MD5: b8bc8b1740b329ff2baf16bcee6ca23d
SHA1: d9215e03d2ddae00041a4ddd731872025b3ce537
SHA256: aafda6138e0a43b153cc003b11f3e5fa8bf9e929d2356ec536b931a0ce983aa1
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2 Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000003.328801653.0000000002F30000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "U9rEBqXZSYCa5+IGIsh6bG+yCElOQeh3mm/EbofYWnWn8eEmiiYrJf4LFttt0DUA+39n8FZdgzQ8+SZc3rzhnMPMr8Z4fx3D+fbRo+I1MIlbD4szoKzRpMkx5aTB8Cab5I+DXW6gWdfQr7HECFEcTAwpyJLhfIGXn6KxgwFOnVndUgrjSYq7Gck569kPOO4YXnbUwt69XT2FKUKDeX2hms5/QtXX3Hh9nmWOhvUxbY98vRvvbsLlPzjNF7v0QGIh4X7uypp3Ivkr2P2sMxabdSYOW4HN4JM/VPPFS2qTgX6hwJ09dF8P8HXDM24KI8tEs5YG59SMhcwCDFrBdfAkYEtatx5JFUNCiZ8QoDq+MTA=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "5500", "server": "580", "serpent_key": "w81KRA2f0ixucq4e", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: authd.feronok.com Virustotal: Detection: 12% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_030839C5

Compliance:

barindex
Uses 32bit PE files
Source: HP7cjYBnlS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: HP7cjYBnlS.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\doctor\223\Top\key\each M\Iron.pdb source: loaddll32.exe, 00000001.00000002.474423465.000000006E242000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.476442754.000000006E242000.00000002.00020000.sdmp, HP7cjYBnlS.dll
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose, 1_2_6E1DBE2B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DBA6F FindFirstFileExW, 1_2_6E1DBA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose, 4_2_6E1DBE2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DBA6F FindFirstFileExW, 4_2_6E1DBA6F

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
Source: global traffic HTTP traffic detected: GET /5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2BQXv/jhaYgnRoJXbt0p9E/b8fATrD6qQYegBk/Z_2BGMca1pIbKyE0_2/B6xQROT_2/FVtM7cI_2F4AqKBZTcM8/ka_2F9uVk0Uf7i421qg/djhua0iQVsNSQqZdHOVnOp/1bWWjsxwMvE9P/MwkEBGYh/46lRSAqS_2BR6Lm5JNn7FqF/Gnvaxpv6Hg/PmOIMmhyTSho2PVt_/2FS0IBXGm_2B/SjjfTOvQzGo/_2FqD_2BGuMeOB/vnbxHYtmqGY_2BlpC/_2BvpW HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: msapplication.xml0.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xe0e390e5,0x01d75c4d</date><accdate>0xe0e390e5,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.23.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xe0ed1a45,0x01d75c4d</date><accdate>0xe0ed1a45,0x01d75c4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: authd.feronok.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 08 Jun 2021 01:05:27 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {09EF2733-C841-11EB-90E4-ECF4BB862DED}.dat.23.dr String found in binary or memory: http://authd.feronok.com/5FNMYYgHAZL8fVyyU/16CafLRrMTz3/QRf0T9yKnnG/48zYuAResxRN4Y/8IsjuLfvxqx5QmY_2
Source: msapplication.xml.23.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.23.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.23.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.23.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.23.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.23.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.23.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.23.dr String found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 4_2_030839C5

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1B9C GetProcAddress,NtCreateSection,memset, 1_2_6E1B1B9C
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1EC7 NtMapViewOfSection, 1_2_6E1B1EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B2485 NtQueryVirtualMemory, 1_2_6E1B2485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03082D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_03082D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03088005 NtQueryVirtualMemory, 4_2_03088005
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B2264 1_2_6E1B2264
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D1EB4 1_2_6E1D1EB4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1C5F80 1_2_6E1C5F80
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D1C73 1_2_6E1D1C73
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D1A41 1_2_6E1D1A41
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1C5B50 1_2_6E1C5B50
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D1800 1_2_6E1D1800
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1C248F 1_2_6E1C248F
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D15CE 1_2_6E1D15CE
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D25F2 1_2_6E1D25F2
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E325A 1_2_6E1E325A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1C5240 1_2_6E1C5240
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1EF260 1_2_6E1EF260
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D238D 1_2_6E1D238D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D2119 1_2_6E1D2119
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1E313A 1_2_6E1E313A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1C3163 1_2_6E1C3163
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03083109 4_2_03083109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03087DE0 4_2_03087DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03082206 4_2_03082206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D1EB4 4_2_6E1D1EB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C5F80 4_2_6E1C5F80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D1C73 4_2_6E1D1C73
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C248F 4_2_6E1C248F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D15CE 4_2_6E1D15CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D25F2 4_2_6E1D25F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E325A 4_2_6E1E325A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C5240 4_2_6E1C5240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D1A41 4_2_6E1D1A41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1EF260 4_2_6E1EF260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C5B50 4_2_6E1C5B50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D238D 4_2_6E1D238D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D1800 4_2_6E1D1800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D2119 4_2_6E1D2119
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1E313A 4_2_6E1E313A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C3163 4_2_6E1C3163
Uses 32bit PE files
Source: HP7cjYBnlS.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal80.troj.winDLL@12/22@2/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0308513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 4_2_0308513E
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF911219CB699D8BEF.TMP Jump to behavior
Source: HP7cjYBnlS.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Lastinch Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\HP7cjYBnlS.dll,Ownof Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5936 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HP7cjYBnlS.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: HP7cjYBnlS.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\doctor\223\Top\key\each M\Iron.pdb source: loaddll32.exe, 00000001.00000002.474423465.000000006E242000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.476442754.000000006E242000.00000002.00020000.sdmp, HP7cjYBnlS.dll
Source: HP7cjYBnlS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HP7cjYBnlS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HP7cjYBnlS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HP7cjYBnlS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HP7cjYBnlS.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress, 1_2_6E1B1F7C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B2200 push ecx; ret 1_2_6E1B2209
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B2253 push ecx; ret 1_2_6E1B2263
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E282E55 push esi; ret 1_2_6E282E5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03087DCF push ecx; ret 4_2_03087DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03087A60 push ecx; ret 4_2_03087A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E282E55 push esi; ret 4_2_6E282E5E

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose, 1_2_6E1DBE2B
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DBA6F FindFirstFileExW, 1_2_6E1DBA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DBE2B FindFirstFileExW,FindNextFileW,FindClose, 4_2_6E1DBE2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DBA6F FindFirstFileExW, 4_2_6E1DBA6F

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E1D520E
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1F7C LoadLibraryA,GetProcAddress, 1_2_6E1B1F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB429 mov eax, dword ptr fs:[00000030h] 1_2_6E1DB429
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB21D mov eax, dword ptr fs:[00000030h] 1_2_6E1DB21D
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB260 mov eax, dword ptr fs:[00000030h] 1_2_6E1DB260
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB2BB mov eax, dword ptr fs:[00000030h] 1_2_6E1DB2BB
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB370 mov eax, dword ptr fs:[00000030h] 1_2_6E1DB370
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h] 1_2_6E1DB3B4
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h] 1_2_6E1DB3F8
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h] 1_2_6E1CB0D0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1CB112 mov ecx, dword ptr fs:[00000030h] 1_2_6E1CB112
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DB1DA mov eax, dword ptr fs:[00000030h] 1_2_6E1DB1DA
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E280A6A mov eax, dword ptr fs:[00000030h] 1_2_6E280A6A
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E2809A0 mov eax, dword ptr fs:[00000030h] 1_2_6E2809A0
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E2805A7 push dword ptr fs:[00000030h] 1_2_6E2805A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB429 mov eax, dword ptr fs:[00000030h] 4_2_6E1DB429
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB21D mov eax, dword ptr fs:[00000030h] 4_2_6E1DB21D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB260 mov eax, dword ptr fs:[00000030h] 4_2_6E1DB260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB2BB mov eax, dword ptr fs:[00000030h] 4_2_6E1DB2BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB370 mov eax, dword ptr fs:[00000030h] 4_2_6E1DB370
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB3B4 mov eax, dword ptr fs:[00000030h] 4_2_6E1DB3B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB3F8 mov eax, dword ptr fs:[00000030h] 4_2_6E1DB3F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1CB0D0 mov eax, dword ptr fs:[00000030h] 4_2_6E1CB0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1DB1DA mov eax, dword ptr fs:[00000030h] 4_2_6E1DB1DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E280A6A mov eax, dword ptr fs:[00000030h] 4_2_6E280A6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2809A0 mov eax, dword ptr fs:[00000030h] 4_2_6E2809A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2805A7 push dword ptr fs:[00000030h] 4_2_6E2805A7
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1DED89 GetProcessHeap, 1_2_6E1DED89
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_6E1D520E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D520E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E1D520E

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\HP7cjYBnlS.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000001.00000002.472113602.00000000018F0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.473066797.0000000003860000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03084454 cpuid 4_2_03084454
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 1_2_6E1B1E8A
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1DDE5B
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1DDE84
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1E4C9D
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1E4D06
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1DDD84
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 1_2_6E1E4DA1
Source: C:\Windows\System32\loaddll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_6E1E49FB
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 1_2_6E1DE7A7
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_6E1E537A
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_6E1E51A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E1DE7A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E1E4C9D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E1E4D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E1DDD84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E1E4DA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E1E537A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E1E51A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6E1E49FB
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_6E1B1144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03084454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 4_2_03084454
Source: C:\Windows\System32\loaddll32.exe Code function: 1_2_6E1B1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_6E1B1F10
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.375144383.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456094378.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375123704.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375061576.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.473815277.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456111628.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375035453.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456029858.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375085386.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456137723.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.476067221.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375104521.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456077100.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375160465.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456001052.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.375172121.0000000003A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.456056228.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.455955678.0000000005BB8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2160, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5564, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430819 Sample: HP7cjYBnlS Startdate: 08/06/2021 Architecture: WINDOWS Score: 80 25 authd.feronok.com 2->25 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Antivirus detection for URL or domain 2->33 35 Yara detected  Ursnif 2->35 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 83 2->11         started        signatures3 process4 signatures5 37 Writes or reads registry keys via WMI 8->37 39 Writes registry values via WMI 8->39 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        20 iexplore.exe 39 11->20         started        process6 dnsIp7 41 Writes registry values via WMI 13->41 23 rundll32.exe 16->23         started        27 authd.feronok.com 47.254.173.212, 49735, 49736, 49742 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 20->27 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.254.173.212
 authd.feronok.com United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true

Contacted Domains

Name IP Active
authd.feronok.com 47.254.173.212 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://authd.feronok.com/ft4uMX2U8DExkako/7nz7XYcy_2FPVr_/2FPwc_2Fs5FKMespD3/eoY8gKUtH/5APsBMu_2FYgV7VnT01F/UNasB5xyXVRAz2U9YlK/vPhVaOevuoWXkOwOuvQxwX/WzTW2Vxlbm5Dm/rPytLuLu/KL_2FHSOlQc2K_2BpO7JML7/v1pC4egQVv/iWGaiNgaqJFCdjHoy/PoXO84M5LLuy/jOUqBl_2Bse/EY7p0c9R6kAidR/RKeKXozKr_2B2DMk4uhLx/44Gh2U87rhzhq5q8/e3uXzWyPgLhp7zv/L1Iu0qPLA6WpCvBUhY/ZBphUq1tO/a9IY_2Fv/fGT true
  • Avira URL Cloud: malware
 unknown