Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com..7135.20767

Overview

General Information

Sample Name:SecuriteInfo.com..7135.20767 (renamed file extension from 20767 to dll)
Analysis ID:432910
MD5:5ba7ac7fa4f9e831679832b6cc22aee8
SHA1:813df24ac22c2666b28bc3e7fb9bd1eef2a7f395
SHA256:d2c19ac3eace29239bf919c442556abf782da5953325ee6b2626482fbf442f29
Tags:dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4712 cmdline: loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6116 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5328 cmdline: rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 68 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4604 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 4456 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6012 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFqAvira URL Cloud: Label: malware
            Source: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpoAvira URL Cloud: Label: malware
            Found malware configurationShow sources
            Source: 00000005.00000003.323666044.0000000002AB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "oUnY8+/8G/QjijBEa03/PDDCyhbZrtKtx8eYSXLSbmKpR2omzPKPDVDiaj+dBCVC5Sp5s16D5EsjkO+S9MLdqEPK+/EAZI0qxYwv0GmWkXSlJi4jyYyJKc5a5Nek5/cWbmHSXPW+Rq2S8QAD5SioqB8j4ScC8nSuqcxPZwTdEUXuTG36kAdjIfamPdH5DlrmzxdodFTkShIE2IKM5O/dCTIwhTSQIj7YF2w9akzONLDoXT8cJE2CEp0UrlGkTtCcRTWQr67rMF2nSqm+ctweTZRfgBKtrDgiEDrXnhmUscy59twRBz1A7dRDpJryotUEkXjZHrb6gv4q0NjsbeCK4Jw4zYJf7CO+eANF3Bou0fo=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "1500", "server": "580", "serpent_key": "jT7xNsiVSW2IugIq", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: authd.feronok.comVirustotal: Detection: 11%Perma Link
            Source: SecuriteInfo.com..7135.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll
            Source: Joe Sandbox ViewASN Name: SUPERSERVERSDATACENTERRU SUPERSERVERSDATACENTERRU
            Source: global trafficHTTP traffic detected: GET /INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq39/C9yL3XEqjGdzvV/F4wrCEliEtubK_2BQN3v0/mpD0sYBWj1_2BOoZ/MhYNZMroasOcyRm/Y7cgiiYGTmIYClS1bt/R_2BrGpes/V0WKbm6yczDyoBvOW06Z/_2FVUJ_2BtBEMJQ2mZ0/eqMRxCIXxJwUIjVA7qTLlE/f_2FwC5tmUPbh/r76jmp6x/obp7g2x_2BpjxmD9q5fMhKl/Y1cOMUM_2F/x9ahGBENuH7csdR7_/2FySnpeWZizz/XD203nXIqoX/COsoX4qlT56/jcBfJkpo HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: authd.feronok.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: authd.feronok.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 10 Jun 2021 20:50:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {FA4B99A6-CA78-11EB-90E4-ECF4BB862DED}.dat.23.dr, ~DF80E1CCC67DA5CD93.TMP.23.drString found in binary or memory: http://authd.feronok.com/INsgiuDpuLw85PPWCNwmsmw/LyIcaMF9BW/RDuesN3193oziv6jZ/21yngUSJZxlB/5U99_2BFq

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.460078435.000000000073B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2485 NtQueryVirtualMemory,0_2_6E1C2485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C1B9C GetProcAddress,NtCreateSection,memset,4_2_6E1C1B9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C1EC7 NtMapViewOfSection,4_2_6E1C1EC7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2485 NtQueryVirtualMemory,4_2_6E1C2485
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C22640_2_6E1C2264
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2237EA0_2_6E2237EA
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23F1F00_2_6E23F1F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23D7C50_2_6E23D7C5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23DFD20_2_6E23DFD2
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2245100_2_6E224510
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E291D400_2_6E291D40
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2372000_2_6E237200
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E23A2160_2_6E23A216
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2210100_2_6E221010
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2308E50_2_6E2308E5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E22A9D30_2_6E22A9D3
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C22644_2_6E1C2264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2237EA4_2_6E2237EA
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23F1F04_2_6E23F1F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23D7C54_2_6E23D7C5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23DFD24_2_6E23DFD2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2245104_2_6E224510
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E291D404_2_6E291D40
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2372004_2_6E237200
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E23A2164_2_6E23A216
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2210104_2_6E221010
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2308E54_2_6E2308E5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E22A9D34_2_6E22A9D3
            Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6E220F70 appears 31 times
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6E220F70 appears 31 times
            Source: SecuriteInfo.com..7135.dllBinary or memory string: OriginalFilenameSon.dll8 vs SecuriteInfo.com..7135.dll
            Source: SecuriteInfo.com..7135.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal76.troj.winDLL@12/13@1/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF00D3A9B95DF089AC.TMPJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Paragraphbell
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,Sharptwo
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,ParagraphbellJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com..7135.dll,SharptwoJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4456 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com..7135.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
            Source: SecuriteInfo.com..7135.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\571\bar\Nature\industry\Son.pdb source: loaddll32.exe, rundll32.exe, SecuriteInfo.com..7135.dll
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress,0_2_6E1C1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2200 push ecx; ret 0_2_6E1C2209
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C2253 push ecx; ret 0_2_6E1C2263
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E220FB5 push ecx; ret 0_2_6E220FC8
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D0B16 pushad ; iretd 0_2_6E1D0B17
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1CEBB5 pushfd ; iretd 0_2_6E1CEC0C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D2807 pushad ; retf 0_2_6E1D2809
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1D10D4 push 04853024h; retf 0_2_6E1D10DB
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2200 push ecx; ret 4_2_6E1C2209
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1C2253 push ecx; ret 4_2_6E1C2263
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E220FB5 push ecx; ret 4_2_6E220FC8
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D0B16 pushad ; iretd 4_2_6E1D0B17
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1CEBB5 pushfd ; iretd 4_2_6E1CEC0C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D2807 pushad ; retf 4_2_6E1D2809
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E1D10D4 push 04853024h; retf 4_2_6E1D10DB

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E238402
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E238402 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,0_2_6E238402
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F7C LoadLibraryA,GetProcAddress,0_2_6E1C1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E297188 mov eax, dword ptr fs:[00000030h]0_2_6E297188
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E2970BE mov eax, dword ptr fs:[00000030h]0_2_6E2970BE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E296CC5 push dword ptr fs:[00000030h]0_2_6E296CC5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E297188 mov eax, dword ptr fs:[00000030h]4_2_6E297188
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E2970BE mov eax, dword ptr fs:[00000030h]4_2_6E2970BE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E296CC5 push dword ptr fs:[00000030h]4_2_6E296CC5
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225139 GetProcessHeap,0_2_6E225139
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225EA1 SetUnhandledExceptionFilter,0_2_6E225EA1
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6E225ED2
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E225EA1 SetUnhandledExceptionFilter,4_2_6E225EA1
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E225ED2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_6E225ED2
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\SecuriteInfo.com..7135.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.460172900.0000000000CD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.461520126.0000000003680000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6E1C1E8A
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22E72D
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22E438
            Source: C:\Windows\System32\loaddll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,0_2_6E22E4B5
            Source: C:\Windows\System32\loaddll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,0_2_6E22E538
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E22ED13
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6E22ED99
            Source: C:\Windows\System32\loaddll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,0_2_6E22FA7E
            Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,0_2_6E223BC0
            Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6E22E3DC
            Source: C:\Windows\System32\loaddll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6E22E857
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,0_2_6E22E904
            Source: C:\Windows\System32\loaddll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,0_2_6E22E168
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_6E1C1E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,4_2_6E22E72D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_6E22E438
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,4_2_6E22E4B5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,4_2_6E22E538
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E22ED13
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,4_2_6E22ED99
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,4_2_6E22FA7E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,4_2_6E223BC0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,4_2_6E22E3DC
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6E22E857
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,_GetPrimaryLen,4_2_6E22E904
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW,4_2_6E22E168
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1C7D SetThreadPriority,GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E1C1C7D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E1C1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E1C1F10
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.430352092.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.464198146.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430424986.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430241635.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430313705.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430450163.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430406711.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430285928.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.430372927.0000000005A58000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5328, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerSecurity Software Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet