Windows Analysis Report Processwindo.DLL

Overview

General Information

Sample Name: Processwindo.DLL
Analysis ID: 445292
MD5: 5522c21a05daf91658951bdf1c0e5271
SHA1: fed4a9b4069cd2676928441ecf8c844cc7f4a9ee
SHA256: eb6e2519aa5c31174a1ed6c0193b2d0e49e9ed6ca1ac01ed94b3007b5e2f6993
Tags: dllGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Ursnif
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Processwindo.DLL Virustotal: Detection: 29% Perma Link
Source: Processwindo.DLL ReversingLabs: Detection: 21%
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.loaddll32.exe.baa1db.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 6.3.rundll32.exe.315a1db.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.3.rundll32.exe.446a1db.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 3.3.rundll32.exe.27da1db.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 4.3.rundll32.exe.284a1db.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 5.3.rundll32.exe.29ca1db.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: Processwindo.DLL Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, rundll32.exe, 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, rundll32.exe, 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, rundll32.exe, 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: rundll32.exe String found in binary or memory: https://bussipod.xyz
Source: rundll32.exe, 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp String found in binary or memory: https://bussipod.xyz8

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD72411 NtQueryVirtualMemory, 6_2_6DD72411
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD721F0 6_2_6DD721F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD9BCA0 6_2_6DD9BCA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDAC5F4 6_2_6DDAC5F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDB48D1 6_2_6DDB48D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA9813 6_2_6DDA9813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD997C0 6_2_6DD997C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDB67FE 6_2_6DDB67FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA4B80 6_2_6DDA4B80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDB5359 6_2_6DDB5359
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDB4E15 6_2_6DDB4E15
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6DDA8D18 appears 47 times
Uses 32bit PE files
Source: Processwindo.DLL Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal56.troj.winDLL@17/0@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_01
Source: Processwindo.DLL Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
Source: Processwindo.DLL Virustotal: Detection: 29%
Source: Processwindo.DLL ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\Processwindo.DLL'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C timeout /t 5 && del 'C:\Users\user\Desktop\Processwindo.DLL'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Formweather Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Piecehear Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Stickregion Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Processwindo.DLL,Would Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Processwindo.DLL Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Post\806_Blood\Question\animal\four.pdb source: rundll32.exe, 00000002.00000002.546908161.000000006DDB8000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.545590218.000000006DDB8000.00000002.00020000.sdmp, Processwindo.DLL
Source: Processwindo.DLL Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Processwindo.DLL Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Processwindo.DLL Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Processwindo.DLL Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Processwindo.DLL Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress, 6_2_6DD7132A
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD721DF push ecx; ret 6_2_6DD721EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA8D5D push ecx; ret 6_2_6DDA8D70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD80D55 push edi; iretd 6_2_6DD80D56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD80CDF push 00000065h; retf 6_2_6DD80CE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA54F2 push ecx; ret 6_2_6DDA5505
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD80881 push ebx; ret 6_2_6DD80882
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDD0560 push eax; ret 6_2_6DDD0511
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDD04E1 push eax; ret 6_2_6DDD0511

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6DDA4CBF
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DD7132A GetModuleHandleW,LoadLibraryW,GetProcAddress, 6_2_6DD7132A
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDD1390 mov eax, dword ptr fs:[00000030h] 6_2_6DDD1390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDD0EC6 push dword ptr fs:[00000030h] 6_2_6DDD0EC6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDD12BF mov eax, dword ptr fs:[00000030h] 6_2_6DDD12BF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDB1CF3 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 6_2_6DDB1CF3
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA5170 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6DDA5170
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA110C _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6DDA110C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA4CBF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6DDA4CBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDA4724 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6DDA4724

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\Processwindo.DLL',#1 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 5 Jump to behavior
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 00000002.00000002.533884058.0000000003030000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.533886102.0000000002DA0000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.534193861.0000000002FD0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.533756047.0000000003540000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 6_2_6DDB119B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_6DDAA3AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 6_2_6DDA6F11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 6_2_6DDAAA19
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 6_2_6DDAC059
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 6_2_6DDAC403
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_6DDB482E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 6_2_6DDABFC1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_6DDAC3C7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_6DDAC360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 6_2_6DDB1329
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 6_2_6DDB46EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 6_2_6DDAC29F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 6_2_6DDB46BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 6_2_6DDABEAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6DDAFB69 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_6DDAFB69
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000003.506028485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.495420595.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.505312952.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.482226881.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504200485.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.483330440.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.484424201.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.492896787.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.501636521.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.478507309.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507395873.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.509298734.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.472579495.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.481041816.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.503569052.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.544385763.00000000078E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.506726759.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.502575095.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.504793852.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.479769678.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.477123674.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.493854181.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.486817454.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.475731055.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.498075018.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.489614241.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.528553318.0000000005B00000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.485563074.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.508698694.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.507998418.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.536639176.0000000007440000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.546136992.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.491910868.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.490684908.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.488235780.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.474346920.0000000007360000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.542546600.0000000006F70000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5560, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5540, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5996, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 4308, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5984, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445292 Sample: Processwindo.DLL Startdate: 07/07/2021 Architecture: WINDOWS Score: 56 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected  Ursnif 2->27 7 loaddll32.exe 1 2->7         started        9 cmd.exe 1 2->9         started        process3 process4 11 cmd.exe 1 7->11         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        21 2 other processes 7->21 17 conhost.exe 9->17         started        19 timeout.exe 9->19         started        process5 23 rundll32.exe 11->23         started       
No contacted IP infos