Loading ...

Play interactive tourEdit tour

Analysis Report n8x3d68Gnd.dll

Overview

General Information

Sample Name:n8x3d68Gnd.dll
Analysis ID:433105
MD5:d5c0bac78e53b46b2fff5e470e98210c
SHA1:a00da4d379748f9e6f2de1006f10156aa8c36f39
SHA256:b92289a53611d6f8c078e931c3c5c6ce577e05358bdf54389830e962090991b7
Tags:dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6996 cmdline: loaddll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 7024 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 7064 cmdline: rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • cmd.exe (PID: 7112 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6388 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 7052 cmdline: rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 7084 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5780 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6044 cmdline: rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 3436 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 1288 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 5772 cmdline: rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 5680 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2204 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 4728 cmdline: rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6200 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6872 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • rundll32.exe (PID: 6208 cmdline: rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6472 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6940 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6580 cmdline: C:\Windows\system32\cmd.exe /c cd Island MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • cmd.exe (PID: 6876 cmdline: C:\Windows\system32\cmd.exe /c cd Matter m MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
n8x3d68Gnd.dllJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
      00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
          00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
            00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.loaddll32.exe.6d460000.0.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                3.2.rundll32.exe.6d460000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                  21.2.rundll32.exe.6d460000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                    24.2.rundll32.exe.6d460000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                      13.2.rundll32.exe.6d460000.1.unpackJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
                        Click to see the 2 entries

                        Sigma Overview

                        No Sigma rule has matched

                        Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: n8x3d68Gnd.dllAvira: detected
                        Source: n8x3d68Gnd.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: n8x3d68Gnd.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.917348475.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.962266346.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.966549203.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.966145648.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.964938469.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.921321344.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.959988796.000000006D4EA000.00000002.00020000.sdmp, n8x3d68Gnd.dll

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: n8x3d68Gnd.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: loaddll32.exe, 00000000.00000002.917221171.000000000159B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                        E-Banking Fraud:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: n8x3d68Gnd.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A1C3C0_2_6D4A1C3C
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A3E000_2_6D4A3E00
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C84BB0_2_6D4C84BB
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D67D90_2_6D4D67D9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4B51500_2_6D4B5150
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4BE0790_2_6D4BE079
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D03960_2_6D4D0396
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4E02BC0_2_6D4E02BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A1C3C2_2_6D4A1C3C
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A3E002_2_6D4A3E00
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4C84BB2_2_6D4C84BB
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4D67D92_2_6D4D67D9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4B51502_2_6D4B5150
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4BE0792_2_6D4BE079
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4D03962_2_6D4D0396
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4E02BC2_2_6D4E02BC
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D4A0990 appears 34 times
                        Source: C:\Windows\System32\loaddll32.exeCode function: String function: 6D4A00AC appears 100 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4A0990 appears 34 times
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6D4A00AC appears 100 times
                        Source: n8x3d68Gnd.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                        Source: classification engineClassification label: mal56.troj.winDLL@55/0@0/0
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4112:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6560:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4800:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4164:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6728:120:WilError_01
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01
                        Source: n8x3d68Gnd.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark
                        Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll'
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Connectdark
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Mindlake
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Porthigh
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,Problemscale
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrass
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1Jump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,ConnectdarkJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,MindlakeJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,PorthighJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,ProblemscaleJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\n8x3d68Gnd.dll,WingGrassJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: n8x3d68Gnd.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                        Source: n8x3d68Gnd.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.917348475.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.962266346.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.966549203.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 0000000D.00000002.966145648.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000010.00000002.964938469.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000015.00000002.921321344.000000006D4EA000.00000002.00020000.sdmp, rundll32.exe, 00000018.00000002.959988796.000000006D4EA000.00000002.00020000.sdmp, n8x3d68Gnd.dll
                        Source: n8x3d68Gnd.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: n8x3d68Gnd.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: n8x3d68Gnd.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: n8x3d68Gnd.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: n8x3d68Gnd.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: n8x3d68Gnd.dllStatic PE information: real checksum: 0xf3990 should be: 0xf2882
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A09D6 push ecx; ret 0_2_6D4A09E9
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A0075 push ecx; ret 0_2_6D4A0088
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A09D6 push ecx; ret 2_2_6D4A09E9
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A0075 push ecx; ret 2_2_6D4A0088

                        Hooking and other Techniques for Hiding and Protection:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: n8x3d68Gnd.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4C1F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C966F mov eax, dword ptr fs:[00000030h]0_2_6D4C966F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4C966F mov eax, dword ptr fs:[00000030h]2_2_6D4C966F
                        Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4C1F6D
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6D4A07A7
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6D4A0288
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4C1F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D4C1F6D
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A07A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6D4A07A7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4A0288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_6D4A0288
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\n8x3d68Gnd.dll',#1Jump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd IslandJump to behavior
                        Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter mJump to behavior
                        Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                        Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                        Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmpBinary or memory string: Progman
                        Source: loaddll32.exe, 00000000.00000002.917246686.0000000001A20000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.957190907.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.932674972.00000000030B0000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.928824378.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000010.00000002.927424186.0000000003780000.00000002.00000001.sdmp, rundll32.exe, 00000015.00000002.921221388.0000000003440000.00000002.00000001.sdmp, rundll32.exe, 00000018.00000002.929091942.00000000030B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A0604 cpuid 0_2_6D4A0604
                        Source: C:\Windows\System32\loaddll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_6D4DDD96
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D4DDF65
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4D3952
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_6D4DE518
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D4DE61F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_6D4DE6EC
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4DE112
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_6D4DE19F
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D49F1B7
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4DE077
                        Source: C:\Windows\System32\loaddll32.exeCode function: EnumSystemLocalesW,0_2_6D4DE00E
                        Source: C:\Windows\System32\loaddll32.exeCode function: ___crtGetLocaleInfoEx,0_2_6D49F364
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D4D4323
                        Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoW,0_2_6D4DE3EF
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_6D4DDD96
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D4DDF65
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4D3952
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_6D4DE518
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D4DE61F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_6D4DE6EC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4DE112
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_6D4DE19F
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D49F1B7
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4DE077
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: EnumSystemLocalesW,2_2_6D4DE00E
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoEx,2_2_6D49F364
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D4D4323
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,2_2_6D4DE3EF
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4A09F0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6D4A09F0
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4D8951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_6D4D8951

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: n8x3d68Gnd.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE

                        Remote Access Functionality:

                        barindex
                        Yara detected UrsnifShow sources
                        Source: Yara matchFile source: n8x3d68Gnd.dll, type: SAMPLE
                        Source: Yara matchFile source: 00000018.00000002.945736297.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000003.00000002.949353578.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.945539240.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000002.00000002.962212872.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000010.00000002.944163100.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.917299629.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000015.00000002.921268168.000000006D461000.00000020.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0.2.loaddll32.exe.6d460000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 3.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 21.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 24.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 13.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 16.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 2.2.rundll32.exe.6d460000.1.unpack, type: UNPACKEDPE
                        Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,0_2_6D4616BC
                        Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6D4616BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,2_2_6D4616BC

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Rundll321Input Capture1System Time Discovery2Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery22Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 433105 Sample: n8x3d68Gnd.dll Startdate: 11/06/2021 Architecture: WINDOWS Score: 56 59 Antivirus / Scanner detection for submitted sample 2->59 61 Yara detected  Ursnif 2->61 9 loaddll32.exe 1 2->9         started        process3 process4 11 cmd.exe 1 9->11         started        13 rundll32.exe 9->13         started        15 rundll32.exe 9->15         started        17 5 other processes 9->17 process5 19 rundll32.exe 11->19         started        21 cmd.exe 1 13->21         started        23 cmd.exe 1 13->23         started        25 cmd.exe 1 15->25         started        27 cmd.exe 1 15->27         started        29 cmd.exe 1 17->29         started        31 cmd.exe 1 17->31         started        33 cmd.exe 1 17->33         started        35 3 other processes 17->35 process6 51 2 other processes 19->51 37 conhost.exe