Windows Analysis Report d7b.dll

ID:	446419
Product:	CloudBasic
Start time:	15:22:13
Start date:	09.07.2021
Sample:	d7b.dll
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	d7b3fe9b94d3896df9d9f77b37adbf37
SHA1:	6b71978633aa2f91c15ef48eaf3cc4dd54ea7dd0
SHA256:	f7a1ecdd925fd1e03ff08f547b24a10e64a5996060feab65e77f6ca0339b6a00
Filetype:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4867C43A-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	28A7EAD9FEF0F8A1BEE33458A101203E	7372D71852AF2246FB4F42C90F608D0CA6A01E1C	DACB9CD03A0E6447C93777143A7E60051FE92FB7286B2BAB8800D660C7AC3412
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6381B6AC-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	B402D4DA42DB6AC7746B0C5EAB5AA449	BFF1BA3C5D8353B885F6A0DAF53EFA5ABA0D4F08	CD68F120565EE340BA2783DDCB692871493A3EA95927E0EB8228CC99091B65E4
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{73AF066C-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	39ADDC886722A39C458480580588A169	2EC5F8DCA103F5DE08020D951857FEFBBB0E5540	1EDAC51AB67C28DFD2EB3E275202AAAD9EB4AF564B4D3B1CE6866F9F2D7F8D79
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4867C43C-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	5A47016BD43BC6597414801E54A8B7E5	6F0E46FB00536DB43D59B5DD3C5969D72A014A00	B72EA802E97334F829C08C7A24673BA39835D1841F047B442023EEEB50D5C949
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4867C43E-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	53D19F0802814ECB05CB126653E9E9FB	9736773A7DEF1E61627CC2FF034A245D0A93A0D3	EF4E9E8108B9B4A86DFB184BD1402611B1F429957EF4A68C367CB76F5CE04C62
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6381B6AE-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	982E7C8EBEE59300B32DABAA7E7A3BA3	329C11A1C3708568E9E3A80B16DB967DC94CE165	05E59606F7508D66E16553464DEEDAFC107A112DA7FE829C59F45C2C0FC484F3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6381B6B0-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	8AB48EFC10317CEAA1FE2D0476A916E3	DAC3AB981176A5C155B3415D82A1FFF1B95DB430	7FF5E0662A770619B57E9887E9D39E34FEDA289DC79354E6F4B5E2F134EBB908
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{73AF066E-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	7355D24494D7F9681275E40882D403F4	B5B61DAEC41A6957B14B256CAAF163EFFE2421D7	02D6DD1797CA4FB30A5485D708CA54FD9F44DAF94A5CAAD939F8388C24A02A72
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{73AF0670-E104-11EB-90E5-ECF4BB2D2496}.dat	Microsoft Word Document	F1179FACA6553E4D2ADFA8FE51BA41E4	F0ABCEA7A141C748996234D4BBA36DD70FB5E5F3	8800F37EDE6C065D97F8FA4FEF848B4B847534F6270EB1B082E76F989D5A6B29
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3Y2ADQKS\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\googlelogo_color_150x54dp[1].png	PNG image data, 150 x 54, 8-bit/color RGBA, non-interlaced	9D73B3AA30BCE9D8F166DE5178AE4338	D0CBC46850D8ED54625A3B2B01A2C31F37977E75	DBEF5E5530003B7233E944856C23D1437902A2D3568CDFD2BEAF2166E9CA9139
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9QTQHWWN\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\dnserror[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	2DC61EB461DA1436F5D22BCE51425660	E1B79BCAB0F073868079D807FAEC669596DC46C1	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G62TDH9B\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\NewErrorPageTemplate[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	DFEABDE84792228093A5A270352395B6	E41258C9576721025926326F76063C2305586F76	77B138AB5D0A90FF04648C26ADDD5E414CC178165E3B54A4CB3739DA0F58E075
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\down[1]	PNG image data, 15 x 15, 8-bit colormap, non-interlaced	C4F558C4C8B56858F15C09037CD6625A	EE497CC061D6A7A59BB66DEFEA65F9A8145BA240	39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\errorPageStrings[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	D65EC06F21C379C87040B83CC1ABAC6B	208D0A0BB775661758394BE7E4AFB18357E46C8B	A1270E90CEA31B46432EC44731BF4400D22B38EB2855326BF934FE8F1B169A4F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\httpErrorPagesScripts[1]	UTF-8 Unicode (with BOM) text, with CRLF line terminators	9234071287E637F85D721463C488704C	CCA09B1E0FBA38BA29D3972ED8DCECEFDEF8C152	65CC039890C7CEB927CE40F6F199D74E49B8058C3F8A6E22E8F916AD90EA8649
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\robot[1].png	PNG image data, 171 x 213, 8-bit colormap, non-interlaced	4C9ACF280B47CEF7DEF3FC91A34C7FFE	C32BB847DAF52117AB93B723D7C57D8B1E75D36B	5F9FC5B3FBDDF0E72C5C56CDCFC81C6E10C617D70B1B93FBE1E4679A8797BFF7
C:\Users\user\AppData\Local\Temp\JavaDeployReg.log	ASCII text, with CRLF line terminators	C18CBA6ADE6711248CA5D7805B18FDA1	BD5235B5784ED6F6F3FF94C054B3EEF1D7FD25AB	1A7EC4E2992080A33E6D7119B19C6E3096E605D52148E9EB953960866ECD0840
C:\Users\user\AppData\Local\Temp\~DF2FCFC3BB466E5731.TMP	data	73329ED3AF6E87AAA47A37873CB490BA	179667E389BA5273E725EF23E9452016F0DB0CF7	180D5D5452E7E9AD6AFCD4616E92A0F8C84DCFA5B03108C84615F7C3113B38E5
C:\Users\user\AppData\Local\Temp\~DF37FF5ADB2A3C5C85.TMP	data	C425F6B267A0465BB17DCB3E571FF5A0	3C5898378E982C41A42C1101B3BC768EF3301399	DA12B1C0B7D54A8503AAC76C311DEFFFB18561C34DFD7709D79808D260297283
C:\Users\user\AppData\Local\Temp\~DF3F9E1034F19351C0.TMP	data	B5D386DF0BE0580FC2C231BFD46FD823	1D1F9C9477897FCAAD3CD92F080E32420C51815F	29531CD8BB74AFF1110CD09AF7FE1413799733A2A22C03472DC7039FD31BBC9F
C:\Users\user\AppData\Local\Temp\~DF5262AAEC80EEA271.TMP	data	CAE2D43708FDFEDC6701CE721A62C9A7	D4301490938CDB0596739B573553264774469817	726162562205A89C0DD2CAA459FD1930589DD28BBFD76546AEF15AB819226E0B
C:\Users\user\AppData\Local\Temp\~DF7FBE38EED9F80135.TMP	data	9A85001A539F5FE426BE69F69B4C616C	B94ED00B0024057F33BB5D864423D2B2E74F5E90	962BB0DB7476452650AFEB374A643195F565B9B86FA044121E7A71FF44F41167
C:\Users\user\AppData\Local\Temp\~DF9E247E5B8AC6418E.TMP	data	E7571657C8E60647FFF6FC995A8E3F9D	CDBAF6E94ACEA9CB016BFF331E1B1C21262F6C54	9358E491ACBC78F1CC55D0CAAABE406D5F25399E5AF634C4060411CC3E387FB3
C:\Users\user\AppData\Local\Temp\~DFA7D5D08F02F08219.TMP	data	EFE671830B139377402A1ED7E3CCF816	C0AED281E80F6E05E343B7A65AB27D414F2C7995	EF07F596F23B2E8DC2543035AD6C58C354769DE7522A1429729AF49EF6329A30
C:\Users\user\AppData\Local\Temp\~DFCC73204E5D3290B9.TMP	data	689F587B5BD42F0DF983C37DF23CA9CD	CBC78527AFABDBF6867C7D943387A9D0E0B50A5A	537525993439B1C0E560E6079386A9B6EC99307899ABE68A8FDF425CD22D056C
C:\Users\user\AppData\Local\Temp\~DFDCADCAD629B07705.TMP	data	B837B9544B6D62BBE35F348410004255	F7D0A81ED6E2CB03D00638F96EA4C588F41A5835	2B33EDAA4C35443E7BFC32584198B915A020DCF85767B8EDD7009934F57904F1

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: d7b.dll

Avira: detected

Multi AV Scanner detection for submitted file

Source: d7b.dll	Metadefender: Detection: 37%			Perma Link
Source: d7b.dll	ReversingLabs: Detection: 62%

Machine Learning detection for sample

Source: d7b.dll

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Source: d7b.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: d7b.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Source:

Binary string: c:\Paint\Baby\String\Felt\beauty\little\mindclock.pdb source: loaddll32.exe, 00000000.00000002.596728829.000000006D989000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.597761911.000000006D989000.00000002.00020000.sdmp, d7b.dll

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.6:49724 -> 172.217.168.78:80

Performs DNS queries to domains with low reputation

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: ooakieyrc.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: ooakieyrc.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: ooakieyrc.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	DNS query: ooakieyrc.xyz

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190
Source: unknown	TCP traffic detected without corresponding DNS query: 81.92.202.190

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: ooakieyrc.xyz

URLs found in memory or binary data

Source: {73AF0670-E104-11EB-90E5-ECF4BB2D2496}.dat.27.dr	String found in binary or memory: http://81.92.202.190/images/6_2Bfi3b1BN36VCLTJu/7xXAKaMrEwHuufQ0qCrZ8t/2MLMlwG9w9jdT/PNPs5keC/50Od9L
Source: {73AF066E-E104-11EB-90E5-ECF4BB2D2496}.dat.27.dr	String found in binary or memory: http://81.92.202.190/images/Rv8GrTLYptzSKPZ/L4_2FdPuwtqV2xQNJp/z_2FfwkAJ/Fv_2BGyCrahYt_2FNGpY/ghlbjT
Source: {4867C43C-E104-11EB-90E5-ECF4BB2D2496}.dat.9.dr	String found in binary or memory: http://google.com/images/D2C5vfrSqC9/0QY2E5fyBElqGL/KexG_2Fvw2ZjPL7Hw1vAC/yIiJSAPDJ0pvzm0m/gq5wu0ciS
Source: ~DF9E247E5B8AC6418E.TMP.9.dr, {4867C43E-E104-11EB-90E5-ECF4BB2D2496}.dat.9.dr	String found in binary or memory: http://google.com/images/nEH4fv80NMb6jmWf42s/yWPosL9TmLhv46sbdsSAla/6VrnHflFUDDQp/Fat6z6l3/7LJBcgRPk
Source: {6381B6B0-E104-11EB-90E5-ECF4BB2D2496}.dat.21.dr	String found in binary or memory: http://ooakieyrc.xyz/images/7kc3AOalDAVrSC/miBJwAGiWQLur4VkluCOz/xRVn0UZ3CFv16_2B/wOU1EGTVWcgl78r/3l
Source: {6381B6AE-E104-11EB-90E5-ECF4BB2D2496}.dat.21.dr	String found in binary or memory: http://ooakieyrc.xyz/images/X1oZp6Zj_2FwjdZ/GmHjDHWSzeA_2FTY8s/I0hYASmbJ/uk7yqg3FxgKimKg4iEaQ/oRj2iH

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D9722C9 NtQueryVirtualMemory,LdrInitializeThunk,		0_2_6D9722C9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E84F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		0_2_00E84F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B4F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		3_2_012B4F66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01374F66 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,		4_2_01374F66

Detected potential crypto function

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D9720A8		0_2_6D9720A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E8A29C		0_2_00E8A29C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E8541A		0_2_00E8541A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B541A		3_2_012B541A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BA29C		3_2_012BA29C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0137541A		4_2_0137541A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0137A29C		4_2_0137A29C

Uses 32bit PE files

Source: d7b.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Source: d7b.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Classification label

Source: classification engine

Classification label: mal88.troj.winDLL@22/43@4/2

Creates files inside the user directory

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4867C43A-E104-11EB-90E5-ECF4BB2D2496}.dat

Jump to behavior

Creates temporary files

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCC73204E5D3290B9.TMP

Jump to behavior

PE file has an executable .text section and no other executable section

Source: d7b.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Runs a DLL by calling functions

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice

Sample is known by Antivirus

Source: d7b.dll	Metadefender: Detection: 37%
Source: d7b.dll	ReversingLabs: Detection: 62%

Spawns processes

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\d7b.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17414 /prefetch:2
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17414 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\d7b.dll,Moleculenotice			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5640 CREDAT:17414 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7080 CREDAT:17414 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17410 /prefetch:2			Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5248 CREDAT:17414 /prefetch:2			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\loaddll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses new MSVCR Dlls

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: d7b.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: d7b.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:

Binary string: c:\Paint\Baby\String\Felt\beauty\little\mindclock.pdb source: loaddll32.exe, 00000000.00000002.596728829.000000006D989000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.597761911.000000006D989000.00000002.00020000.sdmp, d7b.dll

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D972097 push ecx; ret		0_2_6D9720A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D972050 push ecx; ret		0_2_6D972059
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E8A28B push ecx; ret		0_2_00E8A29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E89E40 push ecx; ret		0_2_00E89E49
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D9819AB pushad ; iretd		0_2_6D9819AE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D9809D7 push ebp; iretd		0_2_6D9809F2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D980093 pushad ; ret		0_2_6D9800A8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D981009 push ecx; retf		0_2_6D981086
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D981055 push ecx; retf		0_2_6D981086
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D9857C5 push ecx; ret		0_2_6D9857D8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D980204 pushad ; retf		0_2_6D980222
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D981278 pushad ; retn 0048h		0_2_6D981279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B9E40 push ecx; ret		3_2_012B9E49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012BA28B push ecx; ret		3_2_012BA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01379E40 push ecx; ret		4_2_01379E49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0137A28B push ecx; ret		4_2_0137A29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D9819AB pushad ; iretd		4_2_6D9819AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D9809D7 push ebp; iretd		4_2_6D9809F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D980093 pushad ; ret		4_2_6D9800A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D981009 push ecx; retf		4_2_6D981086
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D981055 push ecx; retf		4_2_6D981086
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D9857C5 push ecx; ret		4_2_6D9857D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D980204 pushad ; retf		4_2_6D980222
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D981278 pushad ; retn 0048h		4_2_6D981279

Binary may include packed or encrypted code

Source: initial sample

Static PE information: section name: .text entropy: 6.99787070557

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\loaddll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Contains functionality to query system information

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D983A00 GetProcessHeap,RtlAllocateHeap,GetTempPathA,GetSystemInfo,CreateSemaphoreA,

0_2_6D983A00

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D971D28 LdrInitializeThunk,

0_2_6D971D28

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6D983D72

Contains functionality to read the PEB

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D999212 mov eax, dword ptr fs:[00000030h]		0_2_6D999212
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D998D5E push dword ptr fs:[00000030h]		0_2_6D998D5E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D999148 mov eax, dword ptr fs:[00000030h]		0_2_6D999148
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D999212 mov eax, dword ptr fs:[00000030h]		4_2_6D999212
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D998D5E push dword ptr fs:[00000030h]		4_2_6D998D5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D999148 mov eax, dword ptr fs:[00000030h]		4_2_6D999148

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D983A00 GetProcessHeap,RtlAllocateHeap,GetTempPathA,GetSystemInfo,CreateSemaphoreA,

0_2_6D983A00

Contains functionality to register its own exception handler

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D97137F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,		0_2_6D97137F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_00E82DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,		0_2_00E82DF4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6D983D72
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_6D985B8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6D985B8B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_012B2DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,		3_2_012B2DF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_01372DF4 RtlInitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,		4_2_01372DF4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D983D72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		4_2_6D983D72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6D985B8B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		4_2_6D985B8B

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\d7b.dll',#1

Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: loaddll32.exe, 00000000.00000002.593648567.0000000001560000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.595719473.0000000003560000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00E86E5B cpuid

0_2_00E86E5B

Contains functionality to query local / system time

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00E82B9E GetSystemTimeAsFileTime,HeapFree,

0_2_00E82B9E

Contains functionality to query the account / user name

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_00E86E5B GetUserNameW,RtlAllocateHeap,HeapFree,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

0_2_00E86E5B

Contains functionality to query windows version

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_6D971A98 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

0_2_6D971A98

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000004.00000003.384867126.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386739440.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384991598.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386787805.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.596356802.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384681414.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386833228.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385026148.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385049727.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385084591.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386804155.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386611964.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.384965086.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.385068995.0000000005308000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.594418378.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386843346.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386704666.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.386554114.0000000003458000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6136, type: MEMORY
Source: Yara match	File source: Process Memory Space: loaddll32.exe PID: 5604, type: MEMORY