Loading ...

Play interactive tourEdit tour

Windows Analysis Report 570000.dll

Overview

General Information

Sample Name:570000.dll
Analysis ID:444650
MD5:6577b8581782142e658f404003f240ab
SHA1:c6420b09963f9cc8db489b477238374448b11de8
SHA256:0314e12bc1cb1e046282a7933eab7e5fa7ec39c9ceaa78e233c7648904af5c28
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Ursnif
Machine Learning detection for sample
Checks if the current process is being debugged
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
One or more processes crash
Uses 32bit PE files

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5428 cmdline: loaddll32.exe 'C:\Users\user\Desktop\570000.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4396 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5372 cmdline: rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • WerFault.exe (PID: 3276 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 644 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • rundll32.exe (PID: 5400 cmdline: rundll32.exe C:\Users\user\Desktop\570000.dll,#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 6048 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 640 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • WerFault.exe (PID: 4036 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 7 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 570000.dllAvira: detected
            Found malware configurationShow sources
            Source: 1.0.loaddll32.exe.570000.0.unpackMalware Configuration Extractor: Ursnif {"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}
            Machine Learning detection for sampleShow sources
            Source: 570000.dllJoe Sandbox ML: detected
            Source: 570000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238112124.0000000004D27000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb~,7't source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdbMs1 source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb`,1' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.246495574.0000000002BE2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.249988868.0000000000842000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.247898866.0000000002CB2000.00000004.00000001.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdbos source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbF, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdbZ, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbws source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbcs source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbr, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240520074.00000000030B0000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb= source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: propsys.pdb_s# source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdbj,+'r source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbys source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbH,' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdbAs% source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
            Source: Binary string: imagehlp.pdbP,a'a source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: sfc.pdbD source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdbKs? source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdbes source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb\, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.240629576.00000000030B6000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
            Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
            Source: loaddll32.exe, 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
            Source: loaddll32.exe, 00000001.00000000.237443532.000000000116B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 640
            Source: 570000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal68.troj.winDLL@10/12@0/0
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5372
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5428
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5400
            Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER888.tmpJump to behavior
            Source: 570000.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\570000.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 640
            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 644
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5428 -s 272
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\570000.dll,#1Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238112124.0000000004D27000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb~,7't source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: fltLib.pdbMs1 source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: sfc_os.pdb`,1' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: rundll32.pdbk source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: mCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000000A.00000002.246495574.0000000002BE2000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000002.249988868.0000000000842000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000002.247898866.0000000002CB2000.00000004.00000001.sdmp
            Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: sechost.pdbos source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
            Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: fltLib.pdbF, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: iphlpapi.pdbZ, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbws source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: advapi32.pdbcs source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: combase.pdbr, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shcore.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.239722445.0000000002E7F000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240520074.00000000030B0000.00000004.00000001.sdmp
            Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb= source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: propsys.pdb_s# source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: bcrypt.pdbj,+'r source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shell32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: shlwapi.pdbys source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: profapi.pdbH,' source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: winspool.pdbAs% source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb( source: WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
            Source: Binary string: imagehlp.pdbP,a'a source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: sfc.pdbD source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: setupapi.pdbKs? source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdbes source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp
            Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: oleaut32.pdb\, source: WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.238558393.0000000002E8B000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.240540546.00000000030BC000.00000004.00000001.sdmp
            Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.241204436.0000000005380000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244374092.0000000005050000.00000004.00000040.sdmp
            Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: rundll32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.238484656.0000000002E79000.00000004.00000001.sdmp
            Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000D.00000003.240629576.00000000030B6000.00000004.00000001.sdmp
            Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: sfc.pdb source: WerFault.exe, 0000000A.00000003.241213662.0000000005386000.00000004.00000040.sdmp, WerFault.exe, 0000000C.00000003.244383478.0000000005056000.00000004.00000040.sdmp
            Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp, WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp
            Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000A.00000003.241187494.00000000053B1000.00000004.00000001.sdmp, WerFault.exe, 0000000C.00000003.244308991.0000000005081000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbk source: WerFault.exe, 0000000D.00000003.242480144.0000000005391000.00000004.00000001.sdmp

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: rundll32.exe, 00000004.00000002.255353714.00000000048D0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.264436539.00000000046E0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.247837029.0000000005010000.00000002.00000001.sdmp, WerFault.exe, 0000000C.00000002.252014123.0000000004D70000.00000002.00000001.sdmp, WerFault.exe, 0000000D.00000002.248316269.0000000004AD0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\570000.dll',#1Jump to behavior
            Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
            Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
            Source: rundll32.exe, 00000004.00000000.231560419.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000000.233551882.0000000002E30000.00000002.00000001.sdmpBinary or memory string: Progmanlock

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000000.231677722.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.251665430.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.236700469.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000000.232967522.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000000.237506792.00000000017D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.233920310.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.264420353.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.255343857.00000000048B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.232287785.00000000046C8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5400, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5372, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 5428, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection12Virtualization/Sandbox Evasion1Input Capture1Security Software Discovery11Remote ServicesInput Capture1Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRundll321LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection12Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 444650 Sample: 570000.dll Startdate: 06/07/2021 Architecture: WINDOWS Score: 68 22 Found malware configuration 2->22 24 Antivirus / Scanner detection for submitted sample 2->24 26 Yara detected  Ursnif 2->26 28 Machine Learning detection for sample 2->28 8 loaddll32.exe 1 2->8         started        process3 process4 10 cmd.exe 1 8->10         started        12 rundll32.exe 8->12         started        14 WerFault.exe 9 8->14         started        process5 16 rundll32.exe 10->16         started        18 WerFault.exe 20 9 12->18         started        process6 20 WerFault.exe 9 16->20         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.