Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3d0.dll

Overview

General Information

Sample Name:3d0.dll
Analysis ID:446439
MD5:3d080af5324b49363773d0db21b620ed
SHA1:2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256:c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
Tags:dllgozi
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Machine Learning detection for sample
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 5364 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3d0.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 4948 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5312 cmdline: rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 5544 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1288 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Did MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 3040 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6036 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6132 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 5040 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: authd.feronok.comVirustotal: Detection: 10%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: 3d0.dllVirustotal: Detection: 55%Perma Link
            Machine Learning detection for sampleShow sources
            Source: 3d0.dllJoe Sandbox ML: detected
            Source: 4.2.rundll32.exe.30e0000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 0.2.loaddll32.exe.10e0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 3d0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll
            Source: unknownDNS traffic detected: queries for: authd.feronok.com

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY
            Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

            System Summary:

            barindex
            Writes registry values via WMIShow sources
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset,0_2_010E1B9C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1EC7 NtMapViewOfSection,0_2_010E1EC7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E2485 NtQueryVirtualMemory,0_2_010E2485
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_011D2D06
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D8005 NtQueryVirtualMemory,0_2_011D8005
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset,4_2_030E1B9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E1EC7 NtMapViewOfSection,4_2_030E1EC7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E2485 NtQueryVirtualMemory,4_2_030E2485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04972485 NtQueryVirtualMemory,6_2_04972485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F11EC7 NtMapViewOfSection,7_2_02F11EC7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset,7_2_02F11B9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F12485 NtQueryVirtualMemory,7_2_02F12485
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,7_2_03292D06
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_03298005 NtQueryVirtualMemory,7_2_03298005
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02EE1EC7 NtMapViewOfSection,8_2_02EE1EC7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset,8_2_02EE1B9C
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02EE2485 NtQueryVirtualMemory,8_2_02EE2485
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E22640_2_010E2264
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D31090_2_011D3109
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D7DE00_2_011D7DE0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D22060_2_011D2206
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01115A900_2_01115A90
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011225D00_2_011225D0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011217F00_2_011217F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E22644_2_030E2264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03115A904_2_03115A90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_031217F04_2_031217F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_031225D04_2_031225D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049722646_2_04972264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049A5A906_2_049A5A90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049B25D06_2_049B25D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049B17F06_2_049B17F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F122647_2_02F12264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_032931097_2_03293109
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_03297DE07_2_03297DE0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_032922067_2_03292206
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F45A907_2_02F45A90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F517F07_2_02F517F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F525D07_2_02F525D0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02EE22648_2_02EE2264
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F15A908_2_02F15A90
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F217F08_2_02F217F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F225D08_2_02F225D0
            Source: 3d0.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: classification engineClassification label: mal80.troj.winDLL@18/5@3/0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_011D513E
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMPJump to behavior
            Source: 3d0.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
            Source: 3d0.dllVirustotal: Detection: 55%
            Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1Jump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,ChildrenwinJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,DidJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,EgggunJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,InstantprepareJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,OtherdesignJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: 3d0.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll
            Source: 3d0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: 3d0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: 3d0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: 3d0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: 3d0.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,0_2_010E1F7C
            Source: 3d0.dllStatic PE information: real checksum: 0x7cc80 should be: 0x7d379
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E2200 push ecx; ret 0_2_010E2209
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E2253 push ecx; ret 0_2_010E2263
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D7DCF push ecx; ret 0_2_011D7DDF
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D7A60 push ecx; ret 0_2_011D7A69
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F0815 push esi; ret 0_2_010F0859
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F4391 pushfd ; ret 0_2_010F4392
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010EE204 push ebx; iretd 0_2_010EE20D
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F45B9 push ds; ret 0_2_010F45ED
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F266E push eax; ret 0_2_010F266F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010F4ECD push ebx; iretd 0_2_010F4EE9
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01157D0C push edx; ret 0_2_01157D0F
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0115773B push esp; iretd 0_2_0115774A
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01156D42 push ebp; iretd 0_2_01156D4E
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011574B3 push ebx; retf 0_2_011574B5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E2200 push ecx; ret 4_2_030E2209
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030E2253 push ecx; ret 4_2_030E2263
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F4391 pushfd ; ret 4_2_030F4392
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030EE204 push ebx; iretd 4_2_030EE20D
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F0815 push esi; ret 4_2_030F0859
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F266E push eax; ret 4_2_030F266F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F4ECD push ebx; iretd 4_2_030F4EE9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_030F45B9 push ds; ret 4_2_030F45ED
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03157D0C push edx; ret 4_2_03157D0F
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0315773B push esp; iretd 4_2_0315774A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03156D42 push ebp; iretd 4_2_03156D4E
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_031574B3 push ebx; retf 4_2_031574B5
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04972200 push ecx; ret 6_2_04972209
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04972253 push ecx; ret 6_2_04972263
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049845B9 push ds; ret 6_2_049845ED
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_04984ECD push ebx; iretd 6_2_04984EE9
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_0498266E push eax; ret 6_2_0498266F

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY
            Source: C:\Windows\SysWOW64\rundll32.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeLast function: Thread delayed
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0111B8F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,0_2_010E1F7C
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h]0_2_01154F71
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h]0_2_01154EA7
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01154AAE push dword ptr fs:[00000030h]0_2_01154AAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h]4_2_03154F71
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h]4_2_03154EA7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03154AAE push dword ptr fs:[00000030h]4_2_03154AAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h]6_2_049E4F71
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049E4AAE push dword ptr fs:[00000030h]6_2_049E4AAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h]6_2_049E4EA7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h]7_2_02F84F71
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F84AAE push dword ptr fs:[00000030h]7_2_02F84AAE
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h]7_2_02F84EA7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h]8_2_02F54F71
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h]8_2_02F54EA7
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F54AAE push dword ptr fs:[00000030h]8_2_02F54AAE
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd,0_2_0111B900
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0111C060
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0111B8F0
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0111DC70
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer,0_2_01120680
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter,0_2_011206B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0311C060
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0311B8F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer,4_2_03120680
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter,4_2_031206B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0311DC70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_049ADC70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer,6_2_049B0680
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter,6_2_049B06B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_049AB8F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_049AC060
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_02F4B8F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_02F4C060
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter,7_2_02F506B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer,7_2_02F50680
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_02F4DC70
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_02F1B8F0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_02F1C060
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter,8_2_02F206B0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer,8_2_02F20680
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_02F1DC70
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1Jump to behavior
            Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_011D4454 cpuid 0_2_011D4454
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_010E1E8A
            Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,0_2_0112A8A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_030E1E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,4_2_0312A8A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,6_2_04971E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,6_2_049BA8A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,7_2_02F11E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,7_2_02F5A8A0
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,8_2_02EE1E8A
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,8_2_02F2A8A0
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_010E1144
            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,7_2_03294454
            Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_010E1F10
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection12Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection12LSASS MemoryQuery Registry1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Rundll321NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery34Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 446439 Sample: 3d0.dll Startdate: 09/07/2021 Architecture: WINDOWS Score: 80 25 authd.feronok.com 2->25 27 Multi AV Scanner detection for domain / URL 2->27 29 Found malware configuration 2->29 31 Multi AV Scanner detection for submitted file 2->31 33 2 other signatures 2->33 8 loaddll32.exe 1 2->8         started        10 iexplore.exe 2 59 2->10         started        signatures3 process4 process5 12 rundll32.exe 8->12         started        15 cmd.exe 1 8->15         started        17 rundll32.exe 8->17         started        21 3 other processes 8->21 19 iexplore.exe 27 10->19         started        signatures6 35 Writes registry values via WMI 12->35 23 rundll32.exe 15->23         started        process7

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.