Analysis Report n8x3d68Gnd.dll

Overview

General Information

Sample Name:	n8x3d68Gnd.dll
Analysis ID:	433105
MD5:	d5c0bac78e53b46b2fff5e470e98210c
SHA1:	a00da4d379748f9e6f2de1006f10156aa8c36f39
SHA256:	b92289a53611d6f8c078e931c3c5c6ce577e05358bdf54389830e962090991b7
Tags:	dllGoziISFBUrsnif
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Yara detected Ursnif

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found potential string decryption / allocating functions

PE file contains an invalid checksum

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: n8x3d68Gnd.dll

Avira: detected

Compliance:

Uses 32bit PE files

Source: n8x3d68Gnd.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: n8x3d68Gnd.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.917348475.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.962266346.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.966549203.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.966145648.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.964938469.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.921321344.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.959988796.000000006D4EA000.00000002.00020000.sdmp, n8x3d68Gnd.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.917221171.000000000159B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A1C3C	0_2_6D4A1C3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A3E00	0_2_6D4A3E00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C84BB	0_2_6D4C84BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D67D9	0_2_6D4D67D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B5150	0_2_6D4B5150
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4BE079	0_2_6D4BE079
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D0396	0_2_6D4D0396
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E02BC	0_2_6D4E02BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A1C3C	2_2_6D4A1C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A3E00	2_2_6D4A3E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C84BB	2_2_6D4C84BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4D67D9	2_2_6D4D67D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4B5150	2_2_6D4B5150
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4BE079	2_2_6D4BE079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4D0396	2_2_6D4D0396
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4E02BC	2_2_6D4E02BC

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D4A0990 appears 34 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D4A00AC appears 100 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4A0990 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4A00AC appears 100 times

Uses 32bit PE files

Source: n8x3d68Gnd.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal56.troj.winDLL@55/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: n8x3d68Gnd.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior

Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: n8x3d68Gnd.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: n8x3d68Gnd.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

PE file contains an invalid checksum

Source: n8x3d68Gnd.dll

Static PE information: real checksum: 0xf3990 should be: 0xf2882

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A09D6 push ecx; ret	0_2_6D4A09E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A0075 push ecx; ret	0_2_6D4A0088
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A09D6 push ecx; ret	2_2_6D4A09E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A0075 push ecx; ret	2_2_6D4A0088

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D4C1F6D

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C966F mov eax, dword ptr fs:[00000030h]		0_2_6D4C966F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C966F mov eax, dword ptr fs:[00000030h]		2_2_6D4C966F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4C1F6D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4A07A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4A0288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4C1F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4A07A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D4A0288

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior

Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A0604 cpuid

0_2_6D4A0604

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6D4DDD96
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DDF65
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4D3952
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6D4DE518
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DE61F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4DE6EC
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE112
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4DE19F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D49F1B7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE077
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE00E
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoEx,	0_2_6D49F364
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4D4323
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DE3EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6D4DDD96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DDF65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4D3952
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6D4DE518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DE61F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6D4DE6EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_6D4DE19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D49F1B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE077
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE00E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoEx,	2_2_6D49F364
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4D4323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DE3EF

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A09F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D4A09F0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4D8951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_6D4D8951

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		0_2_6D4616BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		2_2_6D4616BC

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: n8x3d68Gnd.dll

Avira: detected

Compliance:

Uses 32bit PE files

Source: n8x3d68Gnd.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: n8x3d68Gnd.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Creates a DirectInput object (often for capturing keystrokes)

Source: loaddll32.exe, 00000000.00000002.917221171.000000000159B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

System Summary:

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A1C3C	0_2_6D4A1C3C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A3E00	0_2_6D4A3E00
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C84BB	0_2_6D4C84BB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D67D9	0_2_6D4D67D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4B5150	0_2_6D4B5150
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4BE079	0_2_6D4BE079
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4D0396	0_2_6D4D0396
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4E02BC	0_2_6D4E02BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A1C3C	2_2_6D4A1C3C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A3E00	2_2_6D4A3E00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C84BB	2_2_6D4C84BB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4D67D9	2_2_6D4D67D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4B5150	2_2_6D4B5150
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4BE079	2_2_6D4BE079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4D0396	2_2_6D4D0396
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4E02BC	2_2_6D4E02BC

Found potential string decryption / allocating functions

Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D4A0990 appears 34 times
Source: C:\Windows\System32\loaddll32.exe	Code function: String function: 6D4A00AC appears 100 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4A0990 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6D4A00AC appears 100 times

Uses 32bit PE files

Source: n8x3d68Gnd.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal56.troj.winDLL@55/0@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: n8x3d68Gnd.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior

Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: n8x3d68Gnd.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: n8x3d68Gnd.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: n8x3d68Gnd.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: n8x3d68Gnd.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

PE file contains an invalid checksum

Source: n8x3d68Gnd.dll

Static PE information: real checksum: 0xf3990 should be: 0xf2882

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A09D6 push ecx; ret	0_2_6D4A09E9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A0075 push ecx; ret	0_2_6D4A0088
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A09D6 push ecx; ret	2_2_6D4A09E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A0075 push ecx; ret	2_2_6D4A0088

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6D4C1F6D

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C966F mov eax, dword ptr fs:[00000030h]		0_2_6D4C966F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C966F mov eax, dword ptr fs:[00000030h]		2_2_6D4C966F

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4C1F6D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6D4A07A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6D4A0288
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4C1F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6D4A07A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6D4A0288

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m	Jump to behavior

Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A0604 cpuid

0_2_6D4A0604

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\System32\loaddll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_6D4DDD96
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DDF65
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4D3952
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_6D4DE518
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DE61F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4DE6EC
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE112
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_6D4DE19F
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D49F1B7
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE077
Source: C:\Windows\System32\loaddll32.exe	Code function: EnumSystemLocalesW,	0_2_6D4DE00E
Source: C:\Windows\System32\loaddll32.exe	Code function: ___crtGetLocaleInfoEx,	0_2_6D49F364
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4D4323
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoW,	0_2_6D4DE3EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6D4DDD96
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DDF65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4D3952
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6D4DE518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DE61F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6D4DE6EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_6D4DE19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D49F1B7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE077
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	2_2_6D4DE00E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoEx,	2_2_6D49F364
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4D4323
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	2_2_6D4DE3EF

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4A09F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6D4A09F0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D4D8951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_6D4D8951

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: n8x3d68Gnd.dll, type: SAMPLE
Source: Yara match	File source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		0_2_6D4616BC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 2_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,		2_2_6D4616BC

ID:	433105
Product:	CloudBasic
Start time:	10:13:48
Start date:	11.06.2021
Sample:	n8x3d68Gnd.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d5c0bac78e53b46b2fff5e470e98210c
SHA1:	a00da4d379748f9e6f2de1006f10156aa8c36f39
SHA256:	b92289a53611d6f8c078e931c3c5c6ce577e05358bdf54389830e962090991b7
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Analysis Report n8x3d68Gnd.dll

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map