Windows Analysis Report 570000.dll

Overview

General Information

Sample Name: 570000.dll
Analysis ID: 444650
MD5: 6577b8581782142e658f404003f240ab
SHA1: c6420b09963f9cc8db489b477238374448b11de8
SHA256: 0314e12bc1cb1e046282a7933eab7e5fa7ec39c9ceaa78e233c7648904af5c28
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Ursnif
Machine Learning detection for sample
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
One or more processes crash
Uses 32bit PE files

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 570000.dll Avira: detected
Found malware configuration
Source: 1.0.loaddll32.exe.570000.0.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}
Machine Learning detection for sample
Source: 570000.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 570000.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238112124.0000000004D27000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb~,7't source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbMs1 source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb`,1' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.246495574.0000000002BE2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.249988868.0000000000842000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.247898866.0000000002CB2000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbos source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbF, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbZ, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbws source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbcs source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240520074.00000000030B0000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb= source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb_s# source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbj,+'r source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbys source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbH,' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbAs% source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdbP,a'a source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: sfc.pdbD source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbKs? source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbes source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb\, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.240629576.00000000030B6000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000001.00000000.237443532.000000000116B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY

System Summary:

barindex
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 640
Uses 32bit PE files
Source: 570000.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal68.troj.winDLL@10/12@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5372
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5428
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5400
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER888.tmp Jump to behavior
Source: 570000.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\570000.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 640
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 644
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 272
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238112124.0000000004D27000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb~,7't source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbMs1 source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb`,1' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.246495574.0000000002BE2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.249988868.0000000000842000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.247898866.0000000002CB2000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: sechost.pdbos source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: fltLib.pdbF, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdbZ, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbws source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdbcs source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: combase.pdbr, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240520074.00000000030B0000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb= source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb_s# source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdbj,+'r source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdbys source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: profapi.pdbH,' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: winspool.pdbAs% source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
Source: Binary string: imagehlp.pdbP,a'a source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: sfc.pdbD source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: setupapi.pdbKs? source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbes source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb\, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.240629576.00000000030B6000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1 Jump to behavior
Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 444650 Sample: 570000.dll Startdate: 06/07/2021 Architecture: WINDOWS Score: 68 22 Found malware configuration 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Yara detected  Ursnif 2->26 28 Machine Learning detection for sample 2->28 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 WerFault.exe 9 8->14         started        process5 16 rundll32.exe 10->16         started        18 WerFault.exe 20 9 12->18         started        process6 20 WerFault.exe 9 16->20         started       
No contacted IP infos