Windows Analysis Report 3d0.dll

Overview

General Information

Sample Name: 3d0.dll
Analysis ID: 446439
MD5: 3d080af5324b49363773d0db21b620ed
SHA1: 2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256: c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
Tags: dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: authd.feronok.com Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for submitted file
Source: 3d0.dll Virustotal: Detection: 55% Perma Link
Machine Learning detection for sample
Source: 3d0.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.rundll32.exe.30e0000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10e0000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: 3d0.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll
Source: unknown DNS traffic detected: queries for: authd.feronok.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset, 0_2_010E1B9C
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1EC7 NtMapViewOfSection, 0_2_010E1EC7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E2485 NtQueryVirtualMemory, 0_2_010E2485
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_011D2D06
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D8005 NtQueryVirtualMemory, 0_2_011D8005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset, 4_2_030E1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E1EC7 NtMapViewOfSection, 4_2_030E1EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E2485 NtQueryVirtualMemory, 4_2_030E2485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04972485 NtQueryVirtualMemory, 6_2_04972485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F11EC7 NtMapViewOfSection, 7_2_02F11EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset, 7_2_02F11B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F12485 NtQueryVirtualMemory, 7_2_02F12485
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 7_2_03292D06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03298005 NtQueryVirtualMemory, 7_2_03298005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02EE1EC7 NtMapViewOfSection, 8_2_02EE1EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset, 8_2_02EE1B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02EE2485 NtQueryVirtualMemory, 8_2_02EE2485
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E2264 0_2_010E2264
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D3109 0_2_011D3109
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D7DE0 0_2_011D7DE0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D2206 0_2_011D2206
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01115A90 0_2_01115A90
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011225D0 0_2_011225D0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011217F0 0_2_011217F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E2264 4_2_030E2264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03115A90 4_2_03115A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031217F0 4_2_031217F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031225D0 4_2_031225D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04972264 6_2_04972264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049A5A90 6_2_049A5A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049B25D0 6_2_049B25D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049B17F0 6_2_049B17F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F12264 7_2_02F12264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03293109 7_2_03293109
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03297DE0 7_2_03297DE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03292206 7_2_03292206
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F45A90 7_2_02F45A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F517F0 7_2_02F517F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F525D0 7_2_02F525D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02EE2264 8_2_02EE2264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F15A90 8_2_02F15A90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F217F0 8_2_02F217F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F225D0 8_2_02F225D0
Uses 32bit PE files
Source: 3d0.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal80.troj.winDLL@18/5@3/0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 0_2_011D513E
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMP Jump to behavior
Source: 3d0.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Source: 3d0.dll Virustotal: Detection: 55%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 3d0.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll
Source: 3d0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3d0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3d0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3d0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3d0.dll Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress, 0_2_010E1F7C
PE file contains an invalid checksum
Source: 3d0.dll Static PE information: real checksum: 0x7cc80 should be: 0x7d379
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E2200 push ecx; ret 0_2_010E2209
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E2253 push ecx; ret 0_2_010E2263
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D7DCF push ecx; ret 0_2_011D7DDF
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D7A60 push ecx; ret 0_2_011D7A69
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010F0815 push esi; ret 0_2_010F0859
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010F4391 pushfd ; ret 0_2_010F4392
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010EE204 push ebx; iretd 0_2_010EE20D
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010F45B9 push ds; ret 0_2_010F45ED
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010F266E push eax; ret 0_2_010F266F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010F4ECD push ebx; iretd 0_2_010F4EE9
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01157D0C push edx; ret 0_2_01157D0F
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0115773B push esp; iretd 0_2_0115774A
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01156D42 push ebp; iretd 0_2_01156D4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011574B3 push ebx; retf 0_2_011574B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E2200 push ecx; ret 4_2_030E2209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030E2253 push ecx; ret 4_2_030E2263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F4391 pushfd ; ret 4_2_030F4392
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030EE204 push ebx; iretd 4_2_030EE20D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F0815 push esi; ret 4_2_030F0859
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F266E push eax; ret 4_2_030F266F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F4ECD push ebx; iretd 4_2_030F4EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_030F45B9 push ds; ret 4_2_030F45ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03157D0C push edx; ret 4_2_03157D0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0315773B push esp; iretd 4_2_0315774A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03156D42 push ebp; iretd 4_2_03156D4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031574B3 push ebx; retf 4_2_031574B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04972200 push ecx; ret 6_2_04972209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04972253 push ecx; ret 6_2_04972263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049845B9 push ds; ret 6_2_049845ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_04984ECD push ebx; iretd 6_2_04984EE9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_0498266E push eax; ret 6_2_0498266F

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0111B8F0
Contains functionality to dynamically determine API calls
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress, 0_2_010E1F7C
Contains functionality to read the PEB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h] 0_2_01154F71
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h] 0_2_01154EA7
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01154AAE push dword ptr fs:[00000030h] 0_2_01154AAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h] 4_2_03154F71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h] 4_2_03154EA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03154AAE push dword ptr fs:[00000030h] 4_2_03154AAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h] 6_2_049E4F71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049E4AAE push dword ptr fs:[00000030h] 6_2_049E4AAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h] 6_2_049E4EA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h] 7_2_02F84F71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F84AAE push dword ptr fs:[00000030h] 7_2_02F84AAE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h] 7_2_02F84EA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h] 8_2_02F54F71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h] 8_2_02F54EA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F54AAE push dword ptr fs:[00000030h] 8_2_02F54AAE
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd, 0_2_0111B900
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0111C060
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0111B8F0
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0111DC70
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer, 0_2_01120680
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter, 0_2_011206B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_0311C060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0311B8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer, 4_2_03120680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter, 4_2_031206B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_0311DC70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_049ADC70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer, 6_2_049B0680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter, 6_2_049B06B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_049AB8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_049AC060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_02F4B8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_02F4C060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter, 7_2_02F506B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer, 7_2_02F50680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_02F4DC70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_02F1B8F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_02F1C060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter, 8_2_02F206B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer, 8_2_02F20680
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_02F1DC70

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 Jump to behavior
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_011D4454 cpuid 0_2_011D4454
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 0_2_010E1E8A
Source: C:\Windows\System32\loaddll32.exe Code function: GetLocaleInfoA, 0_2_0112A8A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 4_2_030E1E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_0312A8A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 6_2_04971E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 6_2_049BA8A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 7_2_02F11E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_02F5A8A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 8_2_02EE1E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 8_2_02F2A8A0
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_010E1144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 7_2_03294454
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_010E1F10
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY
No contacted IP infos