Play interactive tour

Edit tour

Windows Analysis Report 3d0.dll

Overview

General Information

Sample Name:	3d0.dll
Analysis ID:	446439
MD5:	3d080af5324b49363773d0db21b620ed
SHA1:	2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256:	c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
Tags:	dllgozi
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Ursnif

Machine Learning detection for sample

Writes registry values via WMI

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries the installation date of Windows

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 5364 cmdline: loaddll32.exe 'C:\Users\user\Desktop\3d0.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)

cmd.exe (PID: 4948 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 5312 cmdline: rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5544 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 1288 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Did MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3040 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6036 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6132 cmdline: rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 5040 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: rundll32.exe PID: 5312	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 5 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000003.400598077.0000000003050000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "c946IFxWIDGK9Hq1Ybb438yBu8Cj3egs+XQOxscJJsDTjHJFh9R3UWfjeG6mmXpq1NpAgebksnoZUidy5aQquO4l2kngoJviyLUUuuyzBCrx3/NomLag07NZIvCCUnkHmthu91L5hF46C2c/M3O0C6vE49KPiNZZJM77Kb93s25NFKjcj9Vn7XCgp3iYFMPmh7k5s+Do1zOfVMTWbqUnBJgxmQuc10Qd1Uw6Ijr84I4ace4Xe6fmScTrxv7elZHW9xwBGYTCV+2TyjBLdlrvczgkBNBMV8eyommZtWxH+x7W9FA8cYZRvDdfEkxW2aBLg+UhdWBTncvMhOi/WlMileBBGGOX5LpmS2dOYm1o85s=", "c2_domain": ["authd.feronok.com", "app.bighomegl.at"], "botnet": "6000", "server": "580", "serpent_key": "acGSuehuI5dQ2qw3", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}

Multi AV Scanner detection for domain / URL

Show sources

Source: authd.feronok.com

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: 3d0.dll

Virustotal: Detection: 55%

Perma Link

Machine Learning detection for sample

Show sources

Source: 3d0.dll

Joe Sandbox ML: detected

Source: 4.2.rundll32.exe.30e0000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10e0000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen8

Source: 3d0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:

Binary string: c:\834\Bar\Me\shop\Prop\Woman \where.pdb source: loaddll32.exe, 00000000.00000002.479359955.0000000001134000.00000002.00020000.sdmp, rundll32.exe, 00000004.00000002.481255788.0000000003134000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.481586184.00000000049C4000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.480846819.0000000002F64000.00000002.00020000.sdmp, rundll32.exe, 00000008.00000002.481573305.0000000002F34000.00000002.00020000.sdmp, 3d0.dll

Source: unknown

DNS traffic detected: queries for: authd.feronok.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Source: loaddll32.exe, 00000000.00000002.480410281.000000000171B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

System Summary:

Writes registry values via WMI

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E1B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E1EC7 NtMapViewOfSection,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2485 NtQueryVirtualMemory,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D2D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D8005 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E1B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E1EC7 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2485 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972485 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F11EC7 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F11B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F12485 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03292D06 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03298005 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE1EC7 NtMapViewOfSection,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE1B9C GetProcAddress,NtCreateSection,memset,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE2485 NtQueryVirtualMemory,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2264
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D3109
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7DE0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D2206
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01115A90
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011225D0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03115A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031225D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049A5A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B25D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B17F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F12264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03293109
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03297DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_03292206
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F45A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F517F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F525D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02EE2264
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F15A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F217F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F225D0

Source: 3d0.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: classification engine

Classification label: mal80.troj.winDLL@18/5@3/0

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011D513E CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMP

Jump to behavior

Source: 3d0.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin

Source: 3d0.dll

Virustotal: Detection: 55%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 3d0.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 3d0.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 3d0.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,

Source: 3d0.dll

Static PE information: real checksum: 0x7cc80 should be: 0x7d379

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2200 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010E2253 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7DCF push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011D7A60 push ecx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F0815 push esi; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F4391 pushfd ; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010EE204 push ebx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F45B9 push ds; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F266E push eax; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_010F4ECD push ebx; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01157D0C push edx; ret
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0115773B push esp; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01156D42 push ebp; iretd
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011574B3 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2200 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030E2253 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F4391 pushfd ; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030EE204 push ebx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F0815 push esi; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F266E push eax; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F4ECD push ebx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_030F45B9 push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03157D0C push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0315773B push esp; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03156D42 push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031574B3 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972200 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04972253 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049845B9 push ds; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_04984ECD push ebx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0498266E push eax; ret

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\loaddll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F7C LoadLibraryA,GetProcAddress,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154F71 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154EA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01154AAE push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154F71 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154EA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03154AAE push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4F71 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4AAE push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049E4EA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84F71 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84AAE push dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F84EA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54F71 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54EA7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F54AAE push dword ptr fs:[00000030h]

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_0111B900 GetProcessHeap,RtlAllocateHeap,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,__heap_init,__mtinit,__heap_term,__RTC_Initialize,GetCommandLineA,___crtGetEnvironmentStringsA,__mtterm,__heap_term,___setargv,__setenvp,__cinit,__ioterm,__mtterm,__heap_term,__CrtSetDbgFlag,__CrtDumpMemoryLeaks,__ioterm,__mtterm,__heap_term,___set_flsgetvalue,__encode_pointer,__initptd,GetCurrentThreadId,__freeptd,

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_0111DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_01120680 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_011206B0 __encode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_03120680 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_031206B0 __encode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_0311DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049ADC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B0680 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049B06B0 __encode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049AB8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_049AC060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F506B0 __encode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F50680 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_02F4DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1B8F0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1C060 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F206B0 __encode_pointer,SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F20680 SetUnhandledExceptionFilter,__encode_pointer,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_02F1DC70 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1

Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: loaddll32.exe, 00000000.00000002.480485802.0000000001BA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.481732138.00000000037E0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.481214417.0000000003560000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.481514299.00000000034B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.481915733.0000000003400000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_011D4454 cpuid

Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\System32\loaddll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1144 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_03294454 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_010E1F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5312, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Path Interception	Process Injection12	Masquerading1	Input Capture1	System Time Discovery1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Query Registry1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Security Software Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Rundll321	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	File and Directory Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Information Discovery34	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
3d0.dll	56%	Virustotal		Browse
3d0.dll	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
0.2.loaddll32.exe.11d0000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
4.2.rundll32.exe.30e0000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
4.2.rundll32.exe.3080000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
7.2.rundll32.exe.3290000.2.unpack	100%	Avira	HEUR/AGEN.1108168	Download File
0.2.loaddll32.exe.10e0000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen8	Download File
8.2.rundll32.exe.2d60000.1.unpack	100%	Avira	HEUR/AGEN.1108168	Download File

Domains

Source	Detection	Scanner	Label	Link
authd.feronok.com	10%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
authd.feronok.com	unknown	unknown	true	10%, Virustotal, Browse	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	446439
Start date:	09.07.2021
Start time:	16:06:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 30s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	3d0.dll
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.winDLL@18/5@3/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 15.7% (good quality ratio 15.1%) Quality average: 79.6% Quality standard deviation: 28.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .dll
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, ielowutil.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.42.151.234, 52.255.188.83, 168.61.161.212, 13.88.21.125, 95.100.54.203, 23.0.174.185, 23.0.174.200, 104.43.193.48, 104.43.139.144, 20.190.160.5, 20.190.160.7, 20.190.160.9, 20.190.160.130, 20.190.160.1, 20.190.160.133, 20.190.160.70, 20.190.160.74, 20.50.102.62, 2.18.105.186 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, go.microsoft.com, login.live.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus16.cloudapp.net, www.tm.a.prd.aadg.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, skypedataprdcolwus15.cloudapp.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:08:59	API Interceptor	2x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A8A3996F-E10A-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	21592
Entropy (8bit):	1.7605308742054366
Encrypted:	false
SSDEEP:	48:Iw0GcprxGwpLFG/ap8RGIpcLZzGvnZpvLZrGo4qp9LZdGo4hpmLaYGWGWR:roZrZh2TWLatLbfLMhML7
MD5:	909BD268F7852C0E4A1CD0EC5330B996
SHA1:	03C6C9EBEE7BEB31FE6DB4B2B5681E2A4FD4396A
SHA-256:	C7B0B26E29061900B9EC009003742854DFC0F5CD0888C04449D9041B5E327B41
SHA-512:	21E7D613DF463DEE44BA1E06172A387401833737E0E88B27E0D4B824F227D3D9FD157F2963589E5482E49AB17D9EF55BF512B82C4D8791C260F32217EDD4E3E2
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A8A39971-E10A-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	16984
Entropy (8bit):	1.5734626457757865
Encrypted:	false
SSDEEP:	48:IwqGcprnGwpanG4pQHGrapbSaGQpBSGHHpcTTGUpG:rOZxQJ6bBSijp2tA
MD5:	5BF87CAC9DE6B9716F48D44798EBF4F3
SHA1:	AE81D526E52A9C4FF7E5242F24B9E027D5574322
SHA-256:	BA8A6A61ECAD3919418C5092ACC981729C4CEC27A5F18D4582CEA6E4AC36B767
SHA-512:	7A1550634BD132BBE996C7BC1D12ABFD3774E1C032327E83C66D446254C3C7BA53320EBBB64FB467FB1C8064F1A6D50F4CFCE8D2031B5500239F68467810E78B
Malicious:	false
Reputation:	low
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\dnserror[1] Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	2997
Entropy (8bit):	4.4885437940628465
Encrypted:	false
SSDEEP:	48:u7u5V4VyhhV2lFUW29vj0RkpNc7KpAP8Rra:vIlJ6G7Ao8Ra
MD5:	2DC61EB461DA1436F5D22BCE51425660
SHA1:	E1B79BCAB0F073868079D807FAEC669596DC46C1
SHA-256:	ACDEB4966289B6CE46ECC879531F85E9C6F94B718AAB521D38E2E00F7F7F7993
SHA-512:	A88BECB4FBDDC5AFC55E4DC0135AF714A3EEC4A63810AE5A989F2CECB824A686165D3CEDB8CBD8F35C7E5B9F4136C29DEA32736AABB451FE8088B978B493AC6D
Malicious:	false
Preview:	.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css" >.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can’t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="getInfo(); initMoreInfo('infoBlockID');">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can’t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>..

C:\Users\user\AppData\Local\Temp\~DF629150E4B97AFAC5.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	25657
Entropy (8bit):	0.3137598701003095
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lRg9lRA9lTS9lTy9lSSd9lSSd9lwt729lwtS9l2td:kBqoxKAuvScS+151T
MD5:	F8CDCB637A8820227F00CD66B0134799
SHA1:	A674F500673CBA7AEE21A83B0ACE6B6DB48FDE42
SHA-256:	0A84322FA5715C9D23074D5159F0C6517EBDEC4DDE57F251CA7FBD546082CFBF
SHA-512:	A2F1537F3AEB1DA4F2C4271DF21315D0CAAE0922F763FA835AFAA68A8FAB56E2EBD86A8FD9B5072A4533F3DC998BF6896C643AB5C643EE268C05D76A89CB339C
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFD2FE459C37A3F042.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	12917
Entropy (8bit):	0.39848483000472396
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo6F9loW9lWru5OFYL:kBqoIBHryM+
MD5:	BD74D4AC6481E9EEF6E8334DF3FEFD77
SHA1:	CACD0A5223D35D1DDF0248924F7DB33E254EFD18
SHA-256:	585F5629711A9596DEBB6355CE35412C5FFE16C97B105BBCEF7235C796E33EA3
SHA-512:	376943D168B058A8134F4061125A9F46051BBFB10D38CFC38DA0F17053D02928C7CAAD2B7E5AC2D4862A7473C71351A38E0F38D63696579D38211AAF7DDD0EA7
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.556958108983917
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 98.32% Windows Screen Saver (13104/52) 1.29% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3d0.dll
File size:	503809
MD5:	3d080af5324b49363773d0db21b620ed
SHA1:	2724f486e0f8607eda3ea9e9783ea4f46bc98342
SHA256:	c21498aea57a809c36258572bc551c6047a4bf93958bc7a3d4b46d844fc9f1b3
SHA512:	d68d25125dc209f16936b8baad4334f7bb6c4fa58207fafd5428cb1c98630d668da6253e010ac4bb4dedd1dd418f1f31e08acef689e5f663fbde28c7935fadc0
SSDEEP:	12288:BsYGY1GlobL6LRsn7l7tFG7vj1PpBsB0YBi7cY2ab51tB+:BsYG4dAGnZ7/GFPp4PYNb51tk
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...WH..WH..WH...H..WHM )H..WH."*H..WH.":HR.WH...H..WH..VHw.WH."9H..WH."-H..WH."+H..WH."/H..WHRich..WH.......................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x103bc30
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x1000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:
Time Stamp:	0x466EF456 [Tue Jun 12 19:30:30 2007 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d0a22a500d7e527f20cf198a5d20bfd2

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007FD20CC24F47h
call 00007FD20CC2F2F7h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FD20CC24F56h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push FFFFFFFEh
push 01071140h
push 0103D5E0h
mov eax, dword ptr fs:[00000000h]
push eax
add esp, FFFFFFE8h
push ebx
push esi
push edi
mov eax, dword ptr [010731E0h]
xor dword ptr [ebp-08h], eax
xor eax, ebp
push eax
lea eax, dword ptr [ebp-10h]
mov dword ptr fs:[00000000h], eax
mov dword ptr [ebp-18h], esp
mov dword ptr [ebp-1Ch], 00000001h
cmp dword ptr [ebp+0Ch], 00000000h
jne 00007FD20CC24F52h
cmp dword ptr [01087FB8h], 00000000h
jne 00007FD20CC24F49h
xor eax, eax
jmp 00007FD20CC25093h
mov dword ptr [ebp-04h], 00000000h
cmp dword ptr [ebp+0Ch], 01h
je 00007FD20CC24F48h
cmp dword ptr [ebp+0Ch], 02h
jne 00007FD20CC24F96h
cmp dword ptr [0106B584h], 00000000h
je 00007FD20CC24F57h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call dword ptr [0106B584h]
mov dword ptr [ebp-1Ch], eax
cmp dword ptr [ebp-1Ch], 00000000h
je 00007FD20CC24F56h
mov eax, dword ptr [ebp+10h]
push eax
mov ecx, dword ptr [ebp+0Ch]
push ecx
mov edx, dword ptr [ebp+08h]
push edx
call 00007FD20CC24B4Dh

Rich Headers

Programming Language:

[RES] VS2005 build 50727
[ C ] VS2005 build 50727
[EXP] VS2005 build 50727
[C++] VS2005 build 50727
[ASM] VS2005 build 50727
[LNK] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x72270	0x96	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x71748	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8b000	0x2144	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x54240	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x70ae0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x54000	0x1e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5276f	0x53000	False	0.69192100433	data	6.60509734731	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0x1e306	0x1f000	False	0.611036731351	data	5.73468988943	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x73000	0x16c28	0x2000	False	0.149047851562	data	1.80021341356	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0xf8	0x1000	False	0.04541015625	data	0.443235452886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8b000	0x44bc	0x5000	False	0.34267578125	data	3.71306442845	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_MANIFEST	0x8a060	0x91	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	CreateFileA, CloseHandle, SetFilePointer, GetConsoleOutputCP, WriteConsoleA, SetStdHandle, LoadLibraryA, GetStringTypeW, GetStringTypeA, GetLocaleInfoA, LoadLibraryW, OutputDebugStringW, WriteConsoleW, OutputDebugStringA, DebugBreak, GetConsoleMode, GetConsoleCP, FlushFileBuffers, WriteFile, GetSystemDirectoryA, GetCurrentDirectoryA, GetModuleFileNameA, GetEnvironmentVariableA, VirtualProtectEx, TlsAlloc, InterlockedIncrement, InterlockedDecrement, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, RaiseException, HeapValidate, IsBadReadPtr, RtlUnwind, GetCurrentThreadId, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameW, FatalAppExitA, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, WideCharToMultiByte, MultiByteToWideChar, LCMapStringA, GetLastError, LCMapStringW, GetACP, GetOEMCP, GetCPInfo, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsSetValue, TlsFree, SetLastError, HeapReAlloc, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, ExitProcess, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime
USER32.dll	FillRect, TrackPopupMenu, DrawFrameControl, PostMessageA, IsDialogMessageA, GetActiveWindow, AppendMenuA, MapWindowPoints, GetSystemMetrics, DestroyMenu, BeginPaint, InvalidateRect, ValidateRect, SetWindowLongA
RPCRT4.dll	RpcRaiseException, RpcStringFreeA, RpcServerListen, RpcMgmtSetServerStackSize, I_RpcBindingIsClientLocal, UuidFromStringA, UuidCreate, RpcImpersonateClient, RpcRevertToSelf, NdrServerCall2
Secur32.dll	FreeContextBuffer, DeleteSecurityContext, QueryContextAttributesA, InitializeSecurityContextA, QuerySecurityPackageInfoA
COMCTL32.dll	ImageList_SetOverlayImage, DestroyPropertySheetPage, ImageList_Add, CreateToolbarEx, ImageList_Destroy, PropertySheetA

Exports

Name	Ordinal	Address
Childrenwin	1	0x1037030
Did	2	0x1036f50
Egggun	3	0x1037f40
Instantprepare	4	0x1036b60
Otherdesign	5	0x1037130

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 9, 2021 16:06:57.352068901 CEST	50620	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:57.365098953 CEST	53	50620	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:57.371787071 CEST	64938	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:57.384784937 CEST	53	64938	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:58.512778997 CEST	60152	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:58.526881933 CEST	53	60152	8.8.8.8	192.168.2.3
Jul 9, 2021 16:06:59.201056004 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:06:59.214080095 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:01.694236040 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:01.708488941 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:02.754949093 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:02.768912077 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:04.101135015 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:04.116830111 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:05.044939041 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:05.061602116 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:05.814675093 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:05.827651024 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:44.206559896 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:44.269917965 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 9, 2021 16:07:55.629579067 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:07:55.677076101 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:33.819577932 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:33.833997965 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:55.580288887 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:55.596407890 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:57.205854893 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:57.218764067 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:58.641016006 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:58.653860092 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:59.434595108 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:59.448905945 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 9, 2021 16:08:59.608179092 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:08:59.649327993 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:00.080173016 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:00.115365982 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:00.225277901 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:00.242109060 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:01.023397923 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:01.038414955 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:01.775357962 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:01.787420988 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:02.544472933 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:02.560201883 CEST	53	54366	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:03.363470078 CEST	53034	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:03.377631903 CEST	53	53034	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:07.669938087 CEST	57762	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:07.691886902 CEST	53	57762	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.381865978 CEST	55435	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.417860985 CEST	53	55435	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.435143948 CEST	50713	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.466312885 CEST	53	50713	8.8.8.8	192.168.2.3
Jul 9, 2021 16:09:09.496572018 CEST	56132	53	192.168.2.3	8.8.8.8
Jul 9, 2021 16:09:09.510890007 CEST	53	56132	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 9, 2021 16:09:09.381865978 CEST	192.168.2.3	8.8.8.8	0xfa31	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.435143948 CEST	192.168.2.3	8.8.8.8	0x7635	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.496572018 CEST	192.168.2.3	8.8.8.8	0xa0c7	Standard query (0)	authd.feronok.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 9, 2021 16:08:59.649327993 CEST	8.8.8.8	192.168.2.3	0x278c	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)
Jul 9, 2021 16:09:09.417860985 CEST	8.8.8.8	192.168.2.3	0xfa31	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.466312885 CEST	8.8.8.8	192.168.2.3	0x7635	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)
Jul 9, 2021 16:09:09.510890007 CEST	8.8.8.8	192.168.2.3	0xa0c7	Name error (3)	authd.feronok.com	none	none	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 5364 Parent PID: 5608

General

Start time:	16:07:04
Start date:	09/07/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe 'C:\Users\user\Desktop\3d0.dll'
Imagebase:	0x1180000
File size:	116736 bytes
MD5 hash:	542795ADF7CC08EFCF675D65310596E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 4948 Parent PID: 5364

General

Start time:	16:07:04
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5544 Parent PID: 5364

General

Start time:	16:07:05
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Childrenwin
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 5312 Parent PID: 4948

General

Start time:	16:07:05
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe 'C:\Users\user\Desktop\3d0.dll',#1
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471466961.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471539450.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000002.484867910.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471563129.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471585703.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471598164.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471441604.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471514910.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.471488667.00000000059B8000.00000004.00000040.sdmp, Author: Joe Security
Reputation:	high

Analysis Process: rundll32.exe PID: 1288 Parent PID: 5364

General

Start time:	16:07:09
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Did
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 3040 Parent PID: 5364

General

Start time:	16:07:13
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Egggun
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6036 Parent PID: 5364

General

Start time:	16:07:19
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Instantprepare
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 6132 Parent PID: 5364

General

Start time:	16:07:25
Start date:	09/07/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\3d0.dll,Otherdesign
Imagebase:	0xf0000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 5040 Parent PID: 792

General

Start time:	16:09:06
Start date:	09/07/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff676450000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: iexplore.exe PID: 4968 Parent PID: 5040

General

Start time:	16:09:07
Start date:	09/07/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5040 CREDAT:17410 /prefetch:2
Imagebase:	0xb50000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 3d0.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Ursnif

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: loaddll32.exe PID: 5364 Parent PID: 5608