Windows Analysis Report jrC504LJVe.dll

Overview

General Information

Sample Name: jrC504LJVe.dll
Analysis ID: 438540
MD5: 4fa3dba44cab35c7df9dc08db6afc469
SHA1: fed3518314015a7a79e33f36aed871bbf72affdc
SHA256: 968b60db061083b1450cbf3e1011c0869429cbd5e1d304490b86257d9c1eedbb
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected Ursnif
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Parent Process Executions
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: jrC504LJVe.dll Avira: detected

Compliance:

barindex
Uses 32bit PE files
Source: jrC504LJVe.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: jrC504LJVe.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.502911905.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507263377.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.511820988.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.537390503.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.534924551.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.535615394.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000001B.00000002.513340429.000000006E26A000.00000002.00020000.sdmp, jrC504LJVe.dll

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: jrC504LJVe.dll, type: SAMPLE
Source: Yara match File source: 00000002.00000002.507194877.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529754214.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.501190054.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.513290873.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.507194291.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537272561.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.525353874.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: jrC504LJVe.dll, type: SAMPLE
Source: Yara match File source: 00000002.00000002.507194877.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529754214.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.501190054.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.513290873.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.507194291.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537272561.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.525353874.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E223E00 0_2_6E223E00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E221C3C 0_2_6E221C3C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2567D9 0_2_6E2567D9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2484BB 0_2_6E2484BB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2602BC 0_2_6E2602BC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E250396 0_2_6E250396
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E23E079 0_2_6E23E079
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E235150 0_2_6E235150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E223E00 2_2_6E223E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2567D9 2_2_6E2567D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E221C3C 2_2_6E221C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2484BB 2_2_6E2484BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2602BC 2_2_6E2602BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E250396 2_2_6E250396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E23E079 2_2_6E23E079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E235150 2_2_6E235150
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E220990 appears 34 times
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E2200AC appears 100 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E220990 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E2200AC appears 100 times
Uses 32bit PE files
Source: jrC504LJVe.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal56.troj.winDLL@55/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4808:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6724:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1304:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5808:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6440:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_01
Source: jrC504LJVe.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Connectdark
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Connectdark
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Mindlake
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Porthigh
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Problemscale
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,WingGrass
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Connectdark Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Mindlake Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,Problemscale Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\jrC504LJVe.dll,WingGrass Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: jrC504LJVe.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: jrC504LJVe.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\938\follow-Record\Suffix\observe-element\force.pdb source: loaddll32.exe, 00000000.00000002.502911905.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000002.00000002.507263377.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.511820988.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000000E.00000002.537390503.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000011.00000002.534924551.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 00000016.00000002.535615394.000000006E26A000.00000002.00020000.sdmp, rundll32.exe, 0000001B.00000002.513340429.000000006E26A000.00000002.00020000.sdmp, jrC504LJVe.dll
Source: jrC504LJVe.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: jrC504LJVe.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: jrC504LJVe.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: jrC504LJVe.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: jrC504LJVe.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: jrC504LJVe.dll Static PE information: real checksum: 0xf3990 should be: 0xebee6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2209D6 push ecx; ret 0_2_6E2209E9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220075 push ecx; ret 0_2_6E220088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E220075 push ecx; ret 2_2_6E220088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2209D6 push ecx; ret 2_2_6E2209E9

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: jrC504LJVe.dll, type: SAMPLE
Source: Yara match File source: 00000002.00000002.507194877.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529754214.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.501190054.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.513290873.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.507194291.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537272561.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.525353874.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E241F6D
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E24966F mov eax, dword ptr fs:[00000030h] 0_2_6E24966F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E24966F mov eax, dword ptr fs:[00000030h] 2_2_6E24966F
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E241F6D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E2207A7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E220288
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E241F6D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E241F6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E2207A7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E2207A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E220288 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E220288

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\jrC504LJVe.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Island Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cd Matter m Jump to behavior
Source: loaddll32.exe, 00000000.00000002.501134012.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.483282253.00000000033D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.481774524.0000000003530000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.537147837.0000000003820000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.514327725.0000000003870000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.520658542.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000002.513252331.0000000002D40000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.501134012.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.483282253.00000000033D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.481774524.0000000003530000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.537147837.0000000003820000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.514327725.0000000003870000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.520658542.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000002.513252331.0000000002D40000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.501134012.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.483282253.00000000033D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.481774524.0000000003530000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.537147837.0000000003820000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.514327725.0000000003870000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.520658542.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000002.513252331.0000000002D40000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.501134012.00000000013C0000.00000002.00000001.sdmp, rundll32.exe, 00000002.00000002.483282253.00000000033D0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.481774524.0000000003530000.00000002.00000001.sdmp, rundll32.exe, 0000000E.00000002.537147837.0000000003820000.00000002.00000001.sdmp, rundll32.exe, 00000011.00000002.514327725.0000000003870000.00000002.00000001.sdmp, rundll32.exe, 00000016.00000002.520658542.0000000002CE0000.00000002.00000001.sdmp, rundll32.exe, 0000001B.00000002.513252331.0000000002D40000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E220604 cpuid 0_2_6E220604
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25DF65
Source: C:\Windows\System32\loaddll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_6E25DD96
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E253952
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25E61F
Source: C:\Windows\System32\loaddll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E25E6EC
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6E25E518
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E254323
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoEx, 0_2_6E21F364
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E25E3EF
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E00E
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E077
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6E25E112
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6E21F1B7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_6E25E19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25E61F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E25E6EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25DF65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E25E518
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E25DD96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E254323
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 2_2_6E21F364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E25E3EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E00E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E077
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E25E112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E253952
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E21F1B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E25E19F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E209A14 GetSystemTimeAsFileTime, 0_2_6E209A14
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E258951 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_6E258951

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: jrC504LJVe.dll, type: SAMPLE
Source: Yara match File source: 00000002.00000002.507194877.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529754214.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.501190054.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.513290873.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.507194291.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537272561.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.525353874.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: jrC504LJVe.dll, type: SAMPLE
Source: Yara match File source: 00000002.00000002.507194877.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.529754214.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.501190054.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.513290873.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.507194291.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.537272561.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.525353874.000000006E1E1000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 2.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.6e1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.6e1e0000.1.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 0_2_6E1E16BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E1E16BC __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ, 2_2_6E1E16BC
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438540 Sample: jrC504LJVe.dll Startdate: 22/06/2021 Architecture: WINDOWS Score: 56 70 Antivirus / Scanner detection for submitted sample 2->70 72 Yara detected  Ursnif 2->72 10 loaddll32.exe 1 2->10         started        process3 process4 12 rundll32.exe 10->12         started        14 cmd.exe 1 10->14         started        16 rundll32.exe 10->16         started        18 5 other processes 10->18 process5 20 cmd.exe 1 12->20         started        22 cmd.exe 1 12->22         started        24 rundll32.exe 14->24         started        26 cmd.exe 1 16->26         started        28 cmd.exe 1 16->28         started        30 cmd.exe 1 18->30         started        32 cmd.exe 1 18->32         started        34 cmd.exe 1 18->34         started        36 cmd.exe 1 18->36         started        process6 38 conhost.exe 20->38         started        40 conhost.exe 22->40         started        42 cmd.exe 1 24->42         started        44 cmd.exe 1 24->44         started        46 conhost.exe 26->46         started        48 conhost.exe 28->48         started        50 conhost.exe 30->50         started        52 conhost.exe 32->52         started        54 conhost.exe 34->54         started        process7 56 cmd.exe 1 38->56         started        58 cmd.exe 1 38->58         started        60 conhost.exe 42->60         started        62 conhost.exe 44->62         started        process8 64 conhost.exe 56->64         started        66 conhost.exe 58->66         started        68 conhost.exe 60->68         started       
No contacted IP infos