Windows Analysis Report c36.dll

Overview

General Information

Sample Name: c36.dll
Analysis ID: 446420
MD5: c36ab737db2b6d11fb1f443f8117a7fa
SHA1: e6fab2798dd6088aa3527a01ae1b3f2415cf40cf
SHA256: 181fe6714ebaff8c1855e8e1dbac545ffd160df0ec96ddf920c5155916b7111b
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000003.310307247.0000000001130000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "1mPXe+HluarwW4R5yJj7kX696atmf6B7a6Jg5mZJ5i3sbRT19R7vT9mKoTtyIRImiHldxTU8DG3omytA0iEqz9hnZgVFnIpVKjKYSqpF7qVSkNASqDhbMdx0CqPxwgtnM3yHiXHYSYrxlGineE5/W0Lx89hsKcfonC8W/kvncnBH4KqUVMOPQeg/25xF11Xm", "c2_domain": ["outlook.com", "mail.com", "taybhctdyehfhgthp2.xyz", "thyihjtkylhmhnypp2.xyz"], "botnet": "5456", "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "0", "DGA_count": "10"}

Compliance:

barindex
Uses 32bit PE files
Source: c36.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49729 -> 40.97.128.194:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49729 -> 40.97.128.194:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 40.97.128.194 40.97.128.194
Source: global traffic HTTP traffic detected: GET /jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: outlook.comConnection: Keep-Alive
Source: msapplication.xml0.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.24.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x4425ba91,0x01d77511</date><accdate>0x4425ba91,0x01d77511</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: outlook.com
Source: msapplication.xml.24.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.24.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.24.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.24.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.24.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.24.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.24.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.24.dr String found in binary or memory: http://www.youtube.com/
Source: {6C6C1DAB-E104-11EB-90E4-ECF4BB862DED}.dat.24.dr String found in binary or memory: https://outlook.office365.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1996 GetProcAddress,NtCreateSection,memset, 2_2_6E1A1996
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1A44 NtMapViewOfSection, 2_2_6E1A1A44
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A23A5 NtQueryVirtualMemory, 2_2_6E1A23A5
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EA5A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 2_2_02EA5A27
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EAB1A5 NtQueryVirtualMemory, 2_2_02EAB1A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01185A27 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 5_2_01185A27
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0118B1A5 NtQueryVirtualMemory, 5_2_0118B1A5
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A2184 2_2_6E1A2184
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EA3EE1 2_2_02EA3EE1
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EA888E 2_2_02EA888E
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EAAF80 2_2_02EAAF80
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1CA260 2_2_6E1CA260
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1CD1F0 2_2_6E1CD1F0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E8559 2_2_6E1E8559
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1DEDC4 2_2_6E1DEDC4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1DC5EB 2_2_6E1DC5EB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1CDA30 2_2_6E1CDA30
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E7AD1 2_2_6E1E7AD1
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1E8015 2_2_6E1E8015
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D68E0 2_2_6E1D68E0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1EA1BF 2_2_6E1EA1BF
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1C99A0 2_2_6E1C99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0118AF80 5_2_0118AF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0118888E 5_2_0118888E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_01183EE1 5_2_01183EE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1CA260 5_2_6E1CA260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1CD1F0 5_2_6E1CD1F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1E8559 5_2_6E1E8559
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1DEDC4 5_2_6E1DEDC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1DC5EB 5_2_6E1DC5EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1CDA30 5_2_6E1CDA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1E7AD1 5_2_6E1E7AD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1E8015 5_2_6E1E8015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D68E0 5_2_6E1D68E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1EA1BF 5_2_6E1EA1BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1C99A0 5_2_6E1C99A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1CA260 6_2_6E1CA260
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1CD1F0 6_2_6E1CD1F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E8559 6_2_6E1E8559
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1DEDC4 6_2_6E1DEDC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1DC5EB 6_2_6E1DC5EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1CDA30 6_2_6E1CDA30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E7AD1 6_2_6E1E7AD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1E8015 6_2_6E1E8015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1D68E0 6_2_6E1D68E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1EA1BF 6_2_6E1EA1BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1C99A0 6_2_6E1C99A0
Found potential string decryption / allocating functions
Source: C:\Windows\System32\loaddll32.exe Code function: String function: 6E1D9D10 appears 49 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1D9D10 appears 98 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E1DBFE0 appears 48 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
Uses 32bit PE files
Source: c36.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal72.troj.winDLL@17/18@3/3
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EAA65C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 2_2_02EAA65C
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1632
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD1208600E5902E85.TMP Jump to behavior
Source: c36.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\c36.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 852
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Beautyresult Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Division Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Fastcolor Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\c36.dll,Yetclose Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5468 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: c36.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: CoreMessaging.pdb_ source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdby1Zs# source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: c:\Door\26\Enter\Mos\Hard \Stretch.pdb source: loaddll32.exe, 00000002.00000002.484014411.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000005.00000002.487526023.000000006E1EB000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000000.386861374.000000006E1EB000.00000002.00020000.sdmp, c36.dll
Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000001A.00000003.409603470.0000000005704000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdbT? source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.401542814.0000000003492000.00000004.00000001.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: shell32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: msctf.pdbG1xs( source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000001A.00000003.409570664.00000000056F2000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000001A.00000003.409645470.00000000056F0000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: WinTypes.pdbK1dsg& source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 0000001A.00000003.409544417.00000000055C1000.00000004.00000001.sdmp
Source: Binary string: combase.pdbgB source: WerFault.exe, 0000001A.00000003.409583861.00000000056F8000.00000004.00000040.sdmp
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: c36.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress, 2_2_6E1A1BAC
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A2120 push ecx; ret 2_2_6E1A2129
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A2173 push ecx; ret 2_2_6E1A2183
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EAABC0 push ecx; ret 2_2_02EAABC9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EAAF6F push ecx; ret 2_2_02EAAF7F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1B1F3E push ds; ret 2_2_6E1B1F42
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1B27B2 push edi; retf 2_2_6E1B27B4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1B1511 push es; ret 2_2_6E1B156F
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D9D55 push ecx; ret 2_2_6E1D9D68
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D7255 push ecx; ret 2_2_6E1D7268
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E205803 push dword ptr [edi]; ret 2_2_6E205810
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E2060AF push 5DC4E471h; iretd 2_2_6E2060B9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E2058DE push ebx; retf 2_2_6E2058E9
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E203501 push eax; ret 2_2_6E203531
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E203580 push eax; ret 2_2_6E203531
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 2_2_6E2067A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0118AF6F push ecx; ret 5_2_0118AF7F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_0118ABC0 push ecx; ret 5_2_0118ABC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B670E pushad ; retf 5_2_6E1B6715
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B1F3E push ds; ret 5_2_6E1B1F42
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B5779 push esp; iretd 5_2_6E1B577D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B27B2 push edi; retf 5_2_6E1B27B4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B1511 push es; ret 5_2_6E1B156F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D9D55 push ecx; ret 5_2_6E1D9D68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D7255 push ecx; ret 5_2_6E1D7268
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1B59A9 push esp; ret 5_2_6E1B59B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E205803 push dword ptr [edi]; ret 5_2_6E205810
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E2060AF push 5DC4E471h; iretd 5_2_6E2060B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E2058DE push ebx; retf 5_2_6E2058E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E203501 push eax; ret 5_2_6E203531
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E203580 push eax; ret 5_2_6E203531
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E20678B push dword ptr [ebx+ecx+36B6D5EAh]; iretd 5_2_6E2067A1

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: WerFault.exe, 0000001A.00000003.425099600.000000000523C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 0000001A.00000002.428303510.000000000530D000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@
Source: WerFault.exe, 0000001A.00000002.428359601.0000000005330000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E1D4FB4
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1BAC LoadLibraryA,GetProcAddress, 2_2_6E1A1BAC
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E20434D mov eax, dword ptr fs:[00000030h] 2_2_6E20434D
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E20427C mov eax, dword ptr fs:[00000030h] 2_2_6E20427C
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E203E83 push dword ptr fs:[00000030h] 2_2_6E203E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E20434D mov eax, dword ptr fs:[00000030h] 5_2_6E20434D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E20427C mov eax, dword ptr fs:[00000030h] 5_2_6E20427C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E203E83 push dword ptr fs:[00000030h] 5_2_6E203E83
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E20434D mov eax, dword ptr fs:[00000030h] 6_2_6E20434D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E20427C mov eax, dword ptr fs:[00000030h] 6_2_6E20427C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E203E83 push dword ptr fs:[00000030h] 6_2_6E203E83
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E1D6ED0
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E1D4FB4
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E1D27C8
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E1D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6E1D6ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6E1D4FB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_6E1D27C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 5_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_6E1D6A1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1D6ED0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E1D6ED0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1D4FB4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6E1D4FB4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1D27C8 _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E1D27C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_6E1D6A1F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6E1D6A1F

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\c36.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000002.00000002.479086717.0000000001900000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.481181205.0000000003A60000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000000.374670738.00000000031D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EA9135 cpuid 2_2_02EA9135
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 2_2_6E1DD7F4
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 2_2_6E1D8C74
Source: C:\Windows\System32\loaddll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 2_2_6E1E3C75
Source: C:\Windows\System32\loaddll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 2_2_6E1DD186
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 2_2_6E1E3E03
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 2_2_6E1DE67A
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 2_2_6E1DE791
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 2_2_6E1E74C2
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 2_2_6E1DEA6F
Source: C:\Windows\System32\loaddll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_6E1DEB30
Source: C:\Windows\System32\loaddll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 2_2_6E1E734F
Source: C:\Windows\System32\loaddll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 2_2_6E1DEB97
Source: C:\Windows\System32\loaddll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 2_2_6E1E7383
Source: C:\Windows\System32\loaddll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 2_2_6E1DEBD3
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 2_2_6E1DE829
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 5_2_6E1DD7F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 5_2_6E1D8C74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 5_2_6E1E3C75
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 5_2_6E1DD186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 5_2_6E1E3E03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 5_2_6E1DE67A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 5_2_6E1DE791
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 5_2_6E1E74C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 5_2_6E1DEA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_6E1DEB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 5_2_6E1E734F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 5_2_6E1DEB97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 5_2_6E1E7383
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 5_2_6E1DEBD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 5_2_6E1DE829
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 6_2_6E1DD7F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 6_2_6E1D8C74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 6_2_6E1E3C75
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 6_2_6E1DD186
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 6_2_6E1E3E03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 6_2_6E1DE67A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 6_2_6E1DE791
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 6_2_6E1E74C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 6_2_6E1DEA6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_6E1DEB30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 6_2_6E1E734F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 6_2_6E1DEB97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA, 6_2_6E1E7383
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__invoke_watson,__itoa_s, 6_2_6E1DEBD3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 6_2_6E1DE829
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1ADA GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 2_2_6E1A1ADA
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_02EA9135 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 2_2_02EA9135
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1DB23D __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,__invoke_watson,__invoke_watson, 2_2_6E1DB23D
Source: C:\Windows\System32\loaddll32.exe Code function: 2_2_6E1A1F0E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 2_2_6E1A1F0E

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000002.00000002.480154797.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437029493.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437142340.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436946677.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391097194.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391161462.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390899688.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391143928.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.482068718.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390847636.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437405999.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437098624.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390939253.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437339959.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.390979627.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.436834249.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.391054400.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.437249428.0000000005A38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 4796, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1844, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 446420 Sample: c36.dll Startdate: 09/07/2021 Architecture: WINDOWS Score: 72 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Yara detected  Ursnif 2->38 7 loaddll32.exe 1 2->7         started        10 iexplore.exe 2 83 2->10         started        process3 signatures4 40 Writes or reads registry keys via WMI 7->40 42 Writes registry values via WMI 7->42 12 rundll32.exe 7->12         started        15 rundll32.exe 7->15         started        17 cmd.exe 1 7->17         started        22 2 other processes 7->22 19 iexplore.exe 25 10->19         started        process5 dnsIp6 44 Writes registry values via WMI 12->44 24 WerFault.exe 23 9 15->24         started        26 rundll32.exe 17->26         started        28 outlook.com 40.97.128.194, 443, 49729, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->28 30 52.97.201.194, 443, 49734, 49735 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->30 32 5 other IPs or domains 19->32 signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
40.97.128.194
 outlook.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.97.201.194
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.98.163.18
 ZRH-efz.ms-acdc.office.com United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Contacted Domains

Name IP Active
outlook.com 40.97.128.194 true
ZRH-efz.ms-acdc.office.com 52.98.163.18 true
www.outlook.com unknown unknown
outlook.office365.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://outlook.com/jdraw/D_2BiqNvBbnsXvuMxmM/t9_2FNHkYnKYRDnfwXuIAV/PZdbgLkzH6hzl/QBVRJ_2F/gFwgPVc3A_2BGFDYWcxhxu6/95nq35D0eQ/F_2Bmi0291iuqGJ2R/Lk7llVNKTp1W/ZOLoPeu_2F4/nTZWoYdvVj3RXx/XwwFNQtzd_2FkWk0UpQTO/wz8fmYfCTc8Ok1p_/2Bs3Gpetltr/L74Ig5cboZ/m.crw false
    		high